Ransomware hackers have found a new way to launder money: mining new coins to replace “tainted” ones, according to blockchain analytics firm Chainalysis. The firm located 372 exchange deposit wallets that received both mining profits and ransomware proceeds, totaling $158.3 million since 2018. “Overall, the data suggests that mining pools may play a key role in many ransomware actors’ money laundering strategy,” Chainalysis wrote.
This money laundering method is becoming increasingly popular, with ransomware-related wallets sending more and more funds to mining pools since 2018. Chainalysis gives an example of a deposit wallet on an unnamed popular crypto exchange that received large amounts of crypto from both ransomware incidents and mining pools. Of the $94.2 million worth of cryptocurrency sent to that address, $19.1 million came from ransomware and $14.1 million from mining pools.
Chainalysis found instances in which the wallet receiving ransomware proceeds sent funds directly to the mining pool wallet, which then sent the coins to the exchange. This could mean that both the ransomware- and mining-related wallets belong to the same owner, who is using mining to launder criminal funds. “In this scenario, the mining pool acts similarly to a mixer in that it obfuscates the origin of funds,” the blog post reads.
The BitClub Network scam, which pretended to be operating a crypto mining business until its operators were indicted by the DOJ in 2020, also used this scheme. The wallets attributed to BitClub used the same set of deposit addresses on two exchanges as “a Russia-based Bitcoin mining operation,” Chainalysis wrote. This could have been a trick to make exchanges believe that the funds are coming from mining, not from crime.
North Korean hacking group APT43, also referred to as Archipelago, is also investing the crypto it steals into mining, according to cyber security firm Mandiant. This way, the hackers replace the coins tainted by criminal association with new, “clean” ones.