Source: Chainalysis; Compiled by Tao Zhu, Golden Finance
Year-to-date, the total amount of illegal activity on-chain has fallen by nearly 20%, indicating that legal activity is growing faster than illegal activity.
While illegal transactions have decreased compared to the same period last year, two types of illegal activity - stolen funds and ransomware - are increasing.Specifically, the inflow of stolen funds nearly doubled, from $857 million to $1.58 billion, while the inflow of ransomware increased by about 2%, from $449.1 million to $459.8 million.
The average amount of cryptocurrency stolen per heist increased by nearly 80%.
This was due in part to the rising price of Bitcoin (BTC), which accounted for 40% of the total transaction volume in these heists. Crypto thieves also appear to be returning to their roots, more frequently targeting centralized exchanges rather than prioritizing DeFi protocols, which are less popular vehicles for trading BTC.
Advanced cybercriminals, including IT workers linked to North Korea, are increasingly using off-chain methods such as social engineering to steal funds by infiltrating crypto-related services.
2024 will be the year with the highest ransomware payments, in large part due to fewer high-profile attacks by these ransomware strains, but large ransoms collected (known in the industry as "big game hunting"). 2024 saw the largest ransomware payment ever, approximately $75 million paid to the Dark Angels ransomware group.
The average ransom paid for ransomware has soared from less than $200,000 in early 2023 to $1.5 million in mid-June 2024, suggesting that these ransomware are preferentially targeting large enterprises and critical infrastructure providers, which may be more likely to pay high ransoms due to their deep pockets and systemic importance.
The ransomware ecosystem has experienced some fragmentation due to recent law enforcement disruptions against the largest players such as ALPHV/BlackCat and LockBit. Following these disruptions, some offshoots have moved on to less effective strains or launched their own strains.
There have been many positive developments in the cryptocurrency ecosystem in 2024. Cryptocurrency continues to gain mainstream acceptance in many quarters following the approval of spot Bitcoin and Ethereum exchange-traded funds (ETFs) in the U.S. and revisions to fair accounting rules by the Financial Accounting Standards Board (FASB). But as with any new technology, adoption will grow, both from good and bad actors. While illicit activity is down year-to-date (YTD) compared to previous years, cryptocurrency inflows to specific cybercrime-related entities show some worrying trends. As shown in the chart below, year-to-date inflows to legitimate services are the highest since 2021, the peak of the last bull run. This is an encouraging sign that cryptocurrency adoption will continue to grow around the world. Inflows to high-risk services, which are primarily comprised of mixers and exchanges that do not collect KYC information, are trending higher than the same period last year. Meanwhile, total illicit activity has dropped 19.6% year-to-date, from $20.9 billion to $16.7 billion, indicating that legitimate activity on-chain is growing faster than illicit activity. As always, we must remind everyone that these illicit numbers are lower-bound estimates based on the inflows to illicit addresses we are seeing today. These totals will almost certainly be higher over time as we classify more illicit addresses and incorporate their historical activity into our data.
Another important update this year is that we have begun incorporating suspected illicit activity into our overall estimates for certain crime types based on Chainalysis Signals data. Previously, our estimates only included totals associated with addresses that Chainalysis had supporting documentation proving belonged to an illicit entity. Signals leverages on-chain data and heuristics to identify suspicious categories of specific unknown addresses or clusters of addresses, with confidence ranging from likely to almost certain. The introduction of Signals has not only increased our estimates of certain categories of illicit activity over time, but has enabled us to improve estimates from previous years as there has been more time to collect input and learn on-chain patterns of suspicious activity. As bad actors continue to evolve their tactics, so will our detection and disruption methods.
While illicit transactions are down overall compared to the same period last year, two notable types of illicit activity—stolen funds and ransomware—have been on the rise. Year-over-year growth in stolen funds in cryptocurrency thefts has nearly doubled from $857 million to $1.58 billion by the end of July. In last year’s mid-year update, ransomware inflows totaled $449.1 million through June 2023. This year, ransomware inflows have exceeded $459.8 million in the same period, suggesting we may see another record year for ransomware.
After a 50% drop in the value of stolen cryptocurrency in 2023 compared to 2022, hacking activity has resurfaced this year. Comparing the amount stolen and the number of hacking incidents year-on-year is quite telling. As shown in the figure below, As of the end of July, the cumulative value stolen this year has reached $1.58 billion, which is about 84.4% higher than the value stolen in the same period last year. Interestingly, the number of hacking incidents in 2024 is only slightly higher than that in 2023, with a year-on-year increase of only 2.76%. Based on the value of the assets at the time of the theft, the average value stolen per incident increased by 79.46%, from $5.9 million per incident from January to July 2023 to $10.6 million per incident so far in 2024.
The change in the value stolen can be largely attributed to rising asset prices. For example, the price of Bitcoin has risen 130% from an average price of $26,141 in the first seven months of 2023 to an average price of $60,091 through July this year.
The price of Bitcoin is particularly important here. One hacking metric that Chainalysis tracks is the volume of transactions associated with the flow of stolen funds after a hack. This can serve as a proxy for stolen assets, as many times hacked services don’t publicly report a breakdown of what was stolen. Last year, 30% of this volume was associated with Bitcoin. This year, BTC transactions associated with stolen funds activity account for 40% of these flows. This pattern appears to be driven by a change in the type of entities being hacked, with centralized services being hacked for high amounts of funds in 2024. This was particularly true for centralized exchanges such as DMM, which lost $305 million. In the DMM hack, around 4,500 BTC were reportedly stolen, or about 19% of the value of the 2024 hack.
Crypto thieves appear to be returning to their old practices, targeting centralized exchanges again after focusing on decentralized exchanges (which don’t typically trade Bitcoin) four years ago.
While attacks on DeFi services, especially cross-chain bridges, peaked in 2022, we speculate that attackers have turned their attention to newer, more vulnerable organizations after centralized exchanges increased their security investments. Now, attackers, including those linked to North Korea, are using increasingly sophisticated social engineering tactics, including applying for IT jobs, to steal cryptocurrency by infiltrating centralized exchanges, one of their most historically targeted attacks. The United Nations recently reported that more than 4,000 North Koreans have been employed by Western tech industry companies. 2024 is on track to be the highest year for ransomware revenue to date In 2023, ransomware set a record of more than $1 billion in ransom payments. These large ransoms came from high-profile destructive attacks, such as the Cl0p attack on the MoveIT zero-day vulnerability and the ALPHV/BlackCat ransomware group’s attack on Caesars hotel properties, which resulted in the company paying a $15 million ransom. [1] These payments occur despite significant law enforcement action targeting ransomware deployers’ malware and organizational infrastructure. At this time last year, we reported that cumulative ransomware payments through the end of June 2023 were approximately $449.1 million. During the same period this year, we recorded a total of $459.8 million in ransom payments, with 2024 on track to be the worst year on record.
Despite the disruptions caused by LockBit and ALPHV/BlackCat, ransomware activity has remained relatively stable, said Andrew Davis, general counsel at Kiva Consulting. “Both former affiliates of these well-known threat actor operations and emerging ransomware groups have entered the fray, demonstrating new methods and techniques for carrying out attacks, such as expanding their initial access means and lateral movement methods.”
Ransomware attacks have also become significantly more severe, as shown in the figure below. One notable change is the surge in the highest ransom payments we observed over the course of the year. So far, 2024 has seen the largest single payment ever, at approximately $75 million, to a ransomware group called Dark Angels. This jump in top payments also represents a 96% year-over-year increase in top payments in 2023 and a 335% increase over 2022’s top payment.
If the rapid growth in top payments wasn’t bad enough, what’s even more depressing is that this trend in annual outliers actually mirrors an increasing trend in median payments. This trend is especially common in the most damaging ransomware incidents. To achieve this, we classified all virus strains into the following categories based on their on-chain activity levels:
Extremely high severity viruses: Maximum payments received in a given year exceeded $1 million
High severity viruses: Maximum payments received in a given year were between $100,000 and $1 million
Medium severity viruses: Maximum payments received in a given year were between $10,000 and $100,000
Low to medium severity viruses: Maximum payments received in a given year were between $1,000 and $100,000
Low severity viruses: Maximum payments received in a given year were less than $1,000
Using this classification system, we can track abnormal growth in median payment amounts over time for different severities. The upward trend was particularly pronounced among "very high severity" strains, for which the median payment increased from $198,939 in the first week of 2023 to $1.5 million in mid-June 2024. This means that ransom payments for the most severe strain types have typically increased by 7.9 times during this period, and by nearly 1,200 times since the beginning of 2021. This pattern may indicate that these strains are beginning to target larger enterprises and critical infrastructure providers, which may be more likely to pay large ransoms due to their deep pockets and systemic importance.
However, as shown in the figure below, the most severe ransomware strains are still performing 50.8% below the total volume so far in 2023. This may be attributed to law enforcement interference by the largest players, ALPHV/BlackCat and LockBit, which temporarily halted ransomware operations. Following these disruptions, the ecosystem became more fragmented, with affiliates migrating to less effective ransomware strains or launching their own. As a result, year-to-date activity for higher severity ransomware strains increased by 104.8%
Another trend in ransomware is that attacks are also becoming more frequent, with the number of attacks increasing by at least 10% so far this year, according to data breach site statistics from eCrime.ch. It’s worth noting that while this year is on track to hit a record high in total ransom payments, record high ransom amounts, and a worsening attack landscape, there is a glimmer of good news. Amid all of these headwinds, victims are still paying ransoms less frequently. The number of posts to ransomware leak sites, a measure of ransomware incidents, increased 10% year-over-year, which we would expect if more victims were being compromised. However, the total number of ransomware payment incidents, as measured on-chain, decreased 27.29% year-over-year. Combining these two trends suggests that while the number of attacks may be up year-to-date, the payment rate is down year-over-year. This is a positive sign for the ecosystem, suggesting that victims may be more prepared and not needing to pay the ransom.
"About 65% of the issues that Kivu assisted victim organizations with have been resolved without the need to pay a ransom. Affected organizations continue to maintain a positive recovery trend without having to pay a ransom to the attackers," Davis said.
While illegal activity in the crypto ecosystem continues to trend downward, two crypto crimes appear to be bucking the trend: stolen funds and ransomware. It is worth noting that these two crime types are often committed by actors with certain common characteristics. They are often organized groups that exploit complex network infrastructures. In the case of stolen funds, North Korea-linked hacker groups are behind some of the largest heists. These actors are known to use elaborate social engineering tactics to break into crypto businesses, steal crypto assets, and utilize professional money laundering techniques to try to cash out the funds before they can be seized. The key to combating cybercrime is disrupting its supply chain, including attackers, affiliates, partners, infrastructure service providers, money launderers, and cash-out points. Since crypto heists and ransomware operations operate almost entirely on the blockchain, law enforcement with the right solutions can follow the funds to better understand and disrupt the operations of these actors. "I believe that counter-insurgency and law enforcement operations such as Operation Kronos, Operation Duck Hunt, and Operation Endgame have been critical in curbing these activities and showing that criminal behavior has consequences," said Corsin Camichel, researcher at eCrime.ch.
Musk endorses Jobs' emphasis on craftsmanship in product development with a simple "precisely" caption. The crypto community applauds Musk's Grok AI and X platform, anticipating the release of Grok 2.0 as a cost-effective alternative to ChatGPT-4.
EdmundApple, inheriting the "mantle" of Mac rather than iPhone. Does VisionPro meet Jobs' original vision? Golden Finance, Vision Pro is a brand new computing platform
JinseFinanceOKX and Polygon Labs launch the X1 zkEVM Testnet, a transformative layer-2 solution for Ethereum, set to enhance transaction speeds and reduce costs. The collaboration anticipates a Q1 2024 mainnet release, marking a significant milestone for Ethereum's evolution and fostering growth within Polygon's ecosystem.
JixuJinseFinanceHeld on Wednesday, 16th August 2023, in the city of Kuala Lumpur, Web3 Connect Kuala Lumpur saw notable attendees, including crypto enthusiasts, representatives from the Malaysian government, and diplomats.
SamanthaScheduled for launch in the latter half of 2023, SK Telecom's forthcoming web3 wallet will not only encompass compatibility with the Polygon network but also introduce functionality for NFT trading.
SnakePolygon Labs has revealed its highly anticipated Governance Framework 2.0, marking a significant milestone for the Polygon ecosystem.
BitcoinistRebecca Rettig, chief policy officer at Polygon Labs, shares open letter to EU authorities, in which major amendments to Data Act are proposed
OthersGoPlus Security is working as the “security infrastructure” for Web3 by providing open, permissionless, user-driven security services.
OthersNFTs are designed to be one-of-a-kind; unfortunately, verifying their rarity and ownership is complex, often requiring tedious manual filtering and diligence.
Cointelegraph