Study Reveals Conti Affiliates' Money Laundering PracticesAffiliates Relied on Less Complex, Trackable Methods, It Says
Contrary to the popular notion that ransomware hackers are sophisticated launderers of their stolen money, research shows they use straightforward mechanisms to transfer their bitcoin - allowing researchers to follow their money trail.
In a study examining data leaked during the May 2022 collapse of the Conti ransomware as a service group, a researcher at the Catholic University of the Sacred Heart at Milan analyzed 182 bitcoin addresses belonging to 56 Conti affiliates. Most often, Conti administrators merely deposited earnings, leaving affiliates to figure out ways to launder their earnings.
The affiliates moved a majority of all the illicit proceeds, wrote doctoral candidate Mirko Nazzari, in a single, direct transaction rather than breaking them down into multiple transactions over time. "This habit is highly insecure because it does not add any obfuscation layers between the illicit proceeds and their criminal origin."
Only a small number of affiliates - 8% - transacted with a crypto mixer, a service that pools potentially tainted funds and randomly distributes them to destination wallets in a bid to make tracing stolen cryptocurrency hard or impossible.
The more money a Conti affiliate received from ransomware, the more likely the hacker was to use a mixer, Nazzari said. Approximately one-quarter of wallets that received more than $1,000 in payment did use a mixer, while nearly 40% used a dark web service.
Affiliates didn't entirely ignore operational security practices, Nazzari found. Nearly all of the addresses receiving initial payment were "non-custodial," meaning that affiliates didn't rely on a crypto exchange to hold the money, preferring to hold on to the wallets' private keys. Still, exchanges were the most common destination for the initial payment.
"Despite the dominant narrative, not all members of cybercriminal networks are high-skilled," the report says. "This lack of expertise seems to extend also to their knowledge of money laundering practices."
Law enforcement agencies have successfully identified and sanctioned Conti members, mainly by following the money through cryptocurrency wallet tracking.
Nazzari said governments must ensure that crypto platforms enforce anti-money laundering and "know your customer" regulations. Law enforcement can subpoena these services and obtain key offenders’ information, such as personal bank accounts, email addresses, phone numbers and even IP addresses.