The Second International Counter Ransomware Initiative (CRI) Summit held recently at the White House turned the spotlight on the need to counter cybercriminal and other threat actors’ efforts to use the cryptocurrency ecosystem to garner payments and mask illicit activity.
Now more than ever, financial investigators need to use open-source intelligence to trace illicit funds and criminal activity associated with cryptocurrencies. While not all crypto transactions are peer-to-peer (P2P), the P2P nature and privacy of some cryptocurrency has become an attractive way to pay—not just for ordinary citizens, but also for criminals.
The White House brought together 36 countries and the European Union for the summit to discuss cooperative actions to counter the spread and impact of ransomware around the globe. Of note, the countries committed to hold a second counter-illicit finance ransomware workshop to expand on the lessons learned during the first workshop led by the U.S. Department of Treasury in July 2022 to build capacity on blockchain tracing and analytics. This will include a tabletop ransomware exercise, coordinated with law enforcement.
Additionally, the participants agreed to share information about cryptocurrency “wallets” used for laundering extorted funds and the development and implementation of the international anti-money laundering/combating the financing of terrorism (AML/CFT) standards for cryptocurrency and related service providers.
Masking illicit crypto activity
In today’s world, cyber criminals increasingly use cryptocurrency to hide their activities and connections. For example, in August 2022, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned virtual currency mixer Tornado Cash, which has been used to launder more than $7 billion worth of virtual currency since its creation in 2019.
“Tornado Cash is a virtual currency mixer that operates on the Ethereum blockchain and indiscriminately facilitates anonymous transactions by obfuscating their origin, destination, and counterparties, with no attempt to determine their origin,” according to Treasury officials.
Blockchain, the foundation for cryptocurrency
Blockchain technology allows for the existence of cryptocurrency, delivering a shared, immutable ledger for recording transactions, tracking assets, and building trust. In most cases, investigators are only getting a piece of the pie by looking at transactions on the ledger; to get a comprehensive understanding of the illicit activity, security teams need to pair on-chain data needs with off-chain data.
Investigators need to see beyond what happens on ledgers and what happens in crypto wallets. There’s much more data on the dark web that can give a full view of the wallet. Investigators need to know if crypto addresses were shared on the dark web or used in social media posts. Traditional blockchain analysis tools cannot give them this full view.
At the same time, when people buy or sell crypto, they rely on their wallets to keep their funds safe and secure. But no wallet is ever truly safe from cybercriminals, and many people have become victims of hacks, wherein their funds are either partly or entirely stolen.
Mitigating ransomware crypto attacks
In today’s data inundated world, investigators must use automated, AI-powered blockchain analysis that continuously scans the web and the dark web to categorize the technical details and other digital footprints left behind by blockchain transactions, as well as identify vulnerabilities in crypto wallets that can result in theft and compromised transactions.
The CRI Summit illustrated that governments and companies are looking for comprehensive strategies to handle crypto ransomware attacks. An AI-powered web intelligence (WEBINT) platform lets investigators collect, analyze, and monitor crypto currency addresses used in transactions on blockchain. As a result, strains of ransomware are detected and attributed to threat actors. The platform scans and detects data from all layers of the web using AI and machine learning. Afterwards, generated reports offer insights, such as where the threat actors provide ransomware as a service, the dark web forums where they discuss their ransomware attacks and buy ransomware kits.
Armed with an AI-powered WEBINT platform, investigators can trace the cryptocurrency money trail back to the threat actors, regardless of geographical location, language or cryptocurrency used. This knowledge helps law enforcement investigations and gives organizations a way to comply with anti-laundering and terror financing legislation and avoid fines. Moreover, an AI-powered platform can proactively assist in defending against crypto ransomware attacks.
Threat actors as well as criminal elements and organizations leave a digital footprint during their activities that are normally detected by solutions that analyze the technical details of electronic activity, online behavior, and cyber information such as IP addresses, timestamps, and device indicators. These solutions are useful, but do not give the full picture.
Complex financial networks are often hard to detect because of various masking methods threat actors use to keep their activities hidden. Law enforcement agencies are often relying on internal data such as transactions, criminal records and prior cases that only provide limited information. With only 5% of information publicly-available on the open web and 95% in the dark web, an AI-powered WEBINT capability can assist investigations by extracting comprehensive intelligent insights on cryptocurrency activity.
Udi Levy, co-founder and CEO, Cobwebs Technologies