Chainanalysis MD Ulisse Dell’Orto on common mistakes made in ransomware investigations
00:31, 23 November 2021
Thanksgiving may be a holiday for most people in the US but it is not a rest day for hackers. On Monday, US authorities warned American businesses and government authorities to be extra vigilant against attacks on 25 November. Invariably some ransomware attacks will succeed and according to Ulisse Dell’Orto, managing director, Asia-Pacific, at cryptocurrency research firm Chainalysis, there are common mistakes made when investigating this type of cybercrime.
Capital.com: How difficult are ransomware attacks to investigate?
Ulisse Dell'Orto: The inherent transparency of blockchains makes cryptocurrency investigations easier for law enforcement compared to financial investigations involving fiat currency. Blockchains act as a permanent, publicly viewable ledger of nearly all cryptocurrency transactions, allowing investigators to track fund movements between cryptocurrency addresses – something that’s simply impossible with fiat currency.
However, cryptocurrency addresses are pseudonymous. Investigators need reliable data attributing those addresses to services and organisations to be able to draw insights from blockchains’ transaction records.
Think of the blockchain as a map that shows you where cryptocurrency moves, providing the labels that allow investigators to understand who’s in control of funds when they move to a specific address. But blockchain is also a map where none of the countries are labelled. A failure to understand this can lead investigators to false conclusions, resulting in time and resources wasted on chasing down inaccurate leads.
CC: What role do coin mixers play in cryptocurrency investigations?
UDO: Failure to identify coin mixers is a key mistake made by ransomware investigators. Coin mixers function by “mixing” all users' coins in one central fund and then return their value - minus a small fee to users - thereby making them untraceable. Unsurprisingly coin mixers are frequently used by criminals to hide their tracks, and despite facing increasing scrutiny from law enforcement groups these services still proliferate.
CC: Are funds traceable after they have been sent through a coin mixer?
UDO: Just because a coin mixer has been used it does not mean investigators cannot continue to track funds - but they do need to use a blockchain analysis tool that has tagged the addresses in question as belonging to a mixer.
Take the example of the Colonial Pipeline attack, carried out by the hacking group DarkSide. In this instance US investigators were able to recover a substantial amount of the ransom paid using the type of technology I just described.
Soon after the attack, the administrator moved funds to an intermediary wallet labelled “DarkSide Dormant Funds”. The funds were moved to a second intermediary wallet -called DarkSide Consolidation, and roughly one hour later moved to a mixer, whose name remains hidden as the investigation is ongoing.
If users attempted to analyse this transaction using a public block explorer or a blockchain analysis tool that hasn’t catalogued the receiving address as part of a mixer, they wouldn’t be able to tell what’s happening. Instead, they would see funds moving to several different addresses in quick succession, in a pattern resembling a peel chain.
CC: What is a peel chain?
UDO: A peel chain is a transaction pattern commonly seen in blockchain analysis, in which funds appear to move through several intermediate addresses. In reality, those intermediate addresses are part of a single wallet and are created automatically to receive the leftover change that results from certain transactions.
In the case of an unidentified coin mixer, the intermediate addresses are part of the mixer itself rather than a wallet, and the new addresses are made not to receive trades. It instead distributes funds to new addresses it also hosts, from which they can be passed on to the end users.
CC: Are peel chains only used by criminals?
UDO: Peel chain-like patterns stemming from unidentified mixer use have contributed to the belief that peel chains themselves are a technique for criminals to launder cryptocurrency. While cybercriminals may often take advantage of peel chains to hide their illicit gains, these are in fact naturally occurring patterns arising from how cryptocurrency wallets are designed to collect change from transactions.
A failure to understand the natural occurrence of peel chains may result in law enforcement teams wasting time and resources following false leads.
CC: Why do cybercriminals use exchanges?
UDO: Criminals often move cryptocurrency through intermediary wallets to throw investigators off the trail. These transactions are relatively easy to trace with most blockchain analysis tools, as investigators can rely on the blockchain to show them which new address received funds following each transaction.
Investigations become trickier when funds hit a service like an exchange, as it’s impossible to trace where funds are sent after they’ve arrived at a deposit address hosted by a service. Without attribution data, the blockchain alone is no longer a reliable source of truth.
When someone sends cryptocurrency to their deposit address at a service, the cryptocurrency doesn’t just sit at that address. Instead, the service moves it around internally, pooling and co-mingling it with the funds of other users as needed. Only the exchange itself knows which deposits and withdrawals are associated with specific customers, and that information is kept in the exchange’s order books, which aren’t visible on blockchains.
Of course, blockchains don’t know that services’ internal fund movements aren’t ordinary transactions — they’re recorded in the ledger just like any other transaction. Therefore, it doesn’t make sense to continue following funds once they’ve been deposited at a service, as the owner of the deposit address isn’t usually the one moving them after that point.
Again this can lead to investigators wasting time and resources following erroneous leads.
CC: What are nested services and merchant services?
UDO: Nested services are cryptocurrency entities that operate using addresses hosted by larger exchanges to tap into those bourse's liquidity and trading pairs. Clients of merchant services providers operate in a similar way.
Merchant services providers allow mainstream businesses to accept cryptocurrency as payment for products and services like payment processors in the fiat world. Businesses using the merchant services providers are analogous to nested services as they receive cryptocurrency using addresses hosted by another business.
That means that investigators can draw false conclusions if they trace funds to an address that isn’t properly labelled as belonging to a nested service or merchant services provider.
CC: When have merchant services misled cybercrime investigators?
UDO: In June 2021, some news outlets reported that addresses associated with ransomware strain Ever101 sent funds to an address belonging to RubRatings, an adult website that accepts cryptocurrency payments. This finding was false. Ever101 had in fact sent funds to a deposit address hosted by a merchant services provider of which RubRatings was also a client.
Investigators were led astray because they used a blockchain analysis tool that mislabelled all addresses in the merchant services provider’s wallets as belonging to RubRatings, not realising that RubRatings was one of many clients receiving funds at addresses hosted by the merchant services provider.
That error led to false news reports and could have led law enforcement to mistakenly subpoenaed RubRatings rather than the merchant services provider, who may have been able to provide more information on the account using the address in question.
Tracking funds from ransomware attacks is not a simple task, but a greater awareness of some of the issues we have just discussed will mean investigators' resources are used more efficiently.
Read more: FBI, CISA issue warning on holiday cyberattacks