Incident Response, Threat Management, Ransomware

Chainalysis launches stolen cryptocurrency tracking team for enterprise

Chainalysis announced Wednesday the launch of a service to recover stolen cryptocurrency. Pictured: Stickers depicting Guy Fawkes masks (Anonymous mask) and the bitcoin logo are seen at a stand in the exhibition hall during the Bitcoin 2022 Conference at Miami Beach Convention Center on April 8, 2022, in Miami. (Photo by Marco Bello/Getty Images)

Blockchain analysis-firm Chainalysis announced Wednesday a new investigative team to help recover stolen and scammed cryptocurrency, its first distinct product for enterprise.

The firm already accepted engagements to track down where the funds taken by ransomware, scams, cryptominers and other digital crime end up, but those engagements were more of an informal offering from the company — victims who reached out by Facebook or Twitter, or had an existing relationship with the company. Those investigations competed for internal resources with Chainalysis' more formal work for legacy and cryptocurrency financial institutions and law enforcement. The "Crypto Incident Response Services" team provides a dedicated staff for that purpose.

"There's a period of time right at the beginning, where it's really important to surge on getting 24/7 tracing on the funds as they move," said Erin Plante, senior director of investigations and special programs at Chainalysis.

Quickly getting a handle on the situation, she said, allows victims to properly game plan to recover the funds — there's a difference in strategy between dealing with cryptocurrency theft from a nation-state, a criminal group, and a lone hacker looking for a quick payoff to return the bulk of the take. Chainalysis, she said, is often able to leverage its business relationships and position in the community to get exchanges to place unofficial holds on stolen funds immediately while law enforcement and the courts prepare an official move to recover funds.

That immediacy can be a big deal if, for example, funds are stolen from an actor in a foreign country, where business hours extend late into the American night. It can be hard to get the legal ball rolling at three in the morning. Meanwhile, actors can keep moving funds, making it harder to ultimately recapture.

Plante said the goal of Crypto Incident Response Services is not to replace law enforcement, but to provide specialized help from the very group law enforcement might reach out to in complex cases.

"You should go to the FBI. But the FBI has scarce resources," she said. "For things like de-mixing and some of the more advanced obfuscation techniques, they'll often reach out to Chainalysis."

"If your hacker happens to be North Korea, they're going to be very interested. If it's not, they may be less interested. Law enforcement cannot put 24/7 coverage on monitoring your funds and trying to get them back. The FBI is extremely skilled and these types of attacks and this type of tracing, but they're not going to leverage a full coverage model in that way," she said.

Last year the Department of Justice, aided by Chainalysis's tools, was able to recover $2.3 million in cryptocurrency given as ransom in the Colonial Pipeline attack. That was 85% of the total Bitcoin taken, though in the time between the ransom and the recovery the price of Bitcoin had plummeted, leaving it only worth around half the $4.4 million ransom.

There are obvious self-interest reasons to want to recover ill-gotten cryptocurrency. But, Plante noted, there are national security reasons, as well. North Korea, for example, uses cryptocurrency theft to evade sanctions.

"We've been watching for years escalation of hacking groups, particularly North Korea, in their indiscriminate attacks against cryptocurrency exchanges and trading platforms, and we want to be there for the victims of these," she said. "We strive for a safer cryptocurrency ecosystem and these type of attacks on the ecosystem as a whole goes against any third-party analysis."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.