Stages of money laundering
Match Systems specialists conducted an investigation of a case in which the victim as a result of a "dust attack" (dandruff attack) inadvertently sent 50 thousand USDT tokens to the fraudster's cryptocurrency address. More information about "dust attacks" (dandruff attacks) can be found in the article at the link.
Upon the victim's appeal, first of all, operational measures were carried out to mark the attacker's address as "stolen funds" in all major blockchain analyzers, and an urgent notification was also sent about the attacker's address belonging to illegal activities to all major cryptocurrency exchanges. These measures increase the chance of temporarily blocking stolen funds when they are sent to exchanges. Additionally, the attacker's address, where the victim's funds were sent, was put on special monitoring by Match Systems.
A few days after the theft, the attacker began moving the stolen funds from an address that had previously received a 100% "stolen funds" markup as a result of operational actions by Match Systems.
The general scheme of the movement of stolen funds is shown in the visualization.
Let's go through it in order.
Upon the victim's appeal, first of all, operational measures were carried out to mark the attacker's address as "stolen funds" in all major blockchain analyzers, and an urgent notification was also sent about the attacker's address belonging to illegal activities to all major cryptocurrency exchanges. These measures increase the chance of temporarily blocking stolen funds when they are sent to exchanges. Additionally, the attacker's address, where the victim's funds were sent, was put on special monitoring by Match Systems.
A few days after the theft, the attacker began moving the stolen funds from an address that had previously received a 100% "stolen funds" markup as a result of operational actions by Match Systems.
The general scheme of the movement of stolen funds is shown in the visualization.
Let's go through it in order.
1. From the primary address, the attacker sent the stolen 50 thousand USDT to the next address, from which the circular movement of the stolen funds began to 5 new addresses of the attacker. Thus, the attacker progressively moved the stolen funds between 5 addresses in a circle more than 20 times. After that, the stolen funds left the limits of this circle, going to the next new address.
The above actions did not allow the attacker to "launder" the stolen funds. The composition of the funds received at the address after leaving the "circle" is 100% "stolen funds".
2. After leaving the "circle", the attacker sent the stolen 50 thousand USDT to a long closed chain of transactions consisting of 50 new addresses. On the second round , the attacker transferred funds to the next stage.
2. After leaving the "circle", the attacker sent the stolen 50 thousand USDT to a long closed chain of transactions consisting of 50 new addresses. On the second round , the attacker transferred funds to the next stage.
The above actions also did not allow the attacker to "launder" the stolen funds. The composition of the funds received at the address after exiting a long chain of transactions is 100% "stolen funds".
3. After exiting a long chain of transactions, the attacker mixed the stolen 50 thousand USDT with another 50 thousand USDT at one new address. After I sent it separately by 50 thousand USDT to 2 new addresses and mixed them again. Then the attacker mixed 100 thousand USDT with another 100 thousand USDT at one new address (having received 200 thousand USDT at one address ).
3. After exiting a long chain of transactions, the attacker mixed the stolen 50 thousand USDT with another 50 thousand USDT at one new address. After I sent it separately by 50 thousand USDT to 2 new addresses and mixed them again. Then the attacker mixed 100 thousand USDT with another 100 thousand USDT at one new address (having received 200 thousand USDT at one address ).
The above actions allowed the attacker to partially "launder" the stolen funds by merging with other funds that were not marked as "stolen funds". The composition of the funds received at the address after leaving this transaction chain is 25% of "stolen funds".
4. After the merger, the received 200 thousand USDT were sent to the BitTorrent blockchain using the "BitTorrent-Chain ERC20 Smart Contract", where the funds were again divided into the original 50 thousand USDT and added for mixing 150 thousand USDT, and transferred back to the Tron blockchain to 2 new addresses.
4. After the merger, the received 200 thousand USDT were sent to the BitTorrent blockchain using the "BitTorrent-Chain ERC20 Smart Contract", where the funds were again divided into the original 50 thousand USDT and added for mixing 150 thousand USDT, and transferred back to the Tron blockchain to 2 new addresses.
The above actions allowed the attacker to completely "launder" the stolen funds by passing them through another blockchain (this technique is often used by attackers to quickly conceal traces of a crime). The composition of the funds received at the address after exiting the BitTorrent blockchain is 0% "stolen funds".
5. After completing the cross-chain transfer (after exiting the BitTorrent Bridge back to the Tron blockchain), the attacker sent the stolen 50 thousand USDT to 1 circle consisting of 5 new addresses, after which he mixed them with other 100 thousand USDT within the circle and brought 50 thousand USDT out of the circle to a new address separately.
5. After completing the cross-chain transfer (after exiting the BitTorrent Bridge back to the Tron blockchain), the attacker sent the stolen 50 thousand USDT to 1 circle consisting of 5 new addresses, after which he mixed them with other 100 thousand USDT within the circle and brought 50 thousand USDT out of the circle to a new address separately.
6. After leaving the next round of transfers, the stolen 50 thousand USDT were sent to the final address, where the funds were again mixed with other 150 thousand USDT that had previously left the BitTorrent blockchain (this was mentioned in paragraph 4). Then the funds in the amount of 200 thousand USDT were sent to the landing cryptocurrency service "JustLend.org ".
As a result, the stolen funds remained "clean". The composition of the funds received at the address after exiting this transaction chain is 0% "stolen funds".
In this article, using a real example, various methods used by attackers in the "laundering" and withdrawal of stolen funds were considered. This list is not exhaustive, because there are other methods involving the use of cryptocurrency mixers, swap services, conducting funds through cryptocurrency exchanges or exchange services with a low level of AML control, and others. This information is provided for informational purposes only and should not be used for illegal purposes. The author of the article is not responsible for the further use and application of the information provided.
In this article, using a real example, various methods used by attackers in the "laundering" and withdrawal of stolen funds were considered. This list is not exhaustive, because there are other methods involving the use of cryptocurrency mixers, swap services, conducting funds through cryptocurrency exchanges or exchange services with a low level of AML control, and others. This information is provided for informational purposes only and should not be used for illegal purposes. The author of the article is not responsible for the further use and application of the information provided.