How do cybercriminals launder cryptocurrency?

The worst possible outcome has occurred. A ransomware attack has broken through multiple layers of security and encrypted mission-critical data. Either no backup exists for this data, or the data backups are also encrypted. No documented fix will allow you to reverse the encryption. Given no other choice, you pay the ransom.

On aggregate, the global ransomware industry accrued hundreds of millions of dollars in various cryptocurrencies in 2024 alone. But the story of that money doesn’t stop there. It needs to be laundered — converted from illegal winnings into an apparently legitimate income stream. How do cybercriminals transform their ransom payments into money they can spend without fear of arrest?

Disguising bad actors by laundering ransomware payments

When cryptocurrency was originally imagined, it was hailed by libertarians as a decentralized parallel currency that would allow its users to obscure their wealth and transactions from central governments. In a perfect world — from a certain point of view — you wouldn’t need to launder cryptocurrency. You’d be able to own it and spend it without anyone knowing that you had it.

In reality, cryptocurrency is not as untraceable as criminals would prefer. There are several ways for law enforcement agencies to unravel blockchain transactions, unmask ransomware attackers and make arrests.

• Attribution data highlights criminal activity: Criminals often make mistakes that allow them to be identified. For example, let’s say that a hacker hard codes the address for ransom payments into their malware. This means that the wallet is inextricably tied to criminal activity — any transfer out of that wallet is probably linked to the same attacker. (A smarter attacker would try to automatically generate a unique wallet for every malware instance.)
• Data-mining the blockchain for clues: A single ransomware group may own hundreds of cryptocurrency wallets. This makes it less obvious when the group receives a large number of transactions in the wake of an attack. A machine learning algorithm known as DBSCAN (density-based spatial clustering of applications with noise) can reveal the connections between these wallets, making it easier to unmask the owners.
• Identifying off-ramp transactions: Criminals eventually need to convert their cryptocurrency into offline currency in order to spend it. This will sometimes involve dealing with entities — like banks — that are subject to international anti-money-laundering (AML) or know-your-customer (KYC) regulations. Once a wallet has been associated with criminal activity, investigators can learn when and where its contents have been converted to currency. They can then subpoena the bank, moneylender or cryptocurrency exchange to uncover the hacker’s identity.

Cybercriminals now need to take increasingly more elaborate steps to elude law enforcement and spend their ill-gotten earnings.

Three common methods for cybercriminals to launder cryptocurrency

Hackers are defined by their willingness to adapt their methods. Although governments are increasingly able to unravel cryptocurrency transactions, hackers have adopted several ways to make this job more difficult.

1. Bitcoin isn’t the only game in town. Although Bitcoin is still the currency of choice for ransomware attackers, other cryptocurrencies are designed with more privacy and security in mind. Currencies such as Monero and Tether are built with a number of privacy features that make transactions much harder to trace. Some ransomware groups even offer discounts to victims who are willing to pay in Monero instead of Bitcoin!  
2. Why use one blockchain when you can use several? Using one blockchain, no matter how secure, may not protect you from the highest degree of scrutiny. That’s why many criminals prefer the practice of “chain hopping.” This is when you convert your Bitcoin into Tether, your Tether into Monero, your Monero into Ethereum, and so on and so on. The advantage of this technique is that cross-chain bridges aren’t subject to the same AML regulations as cryptocurrency exchanges, meaning that the users can remain anonymous.
3. Mix and match cryptocurrency in a tumbler. No matter how many times you switch between blockchains, the money you’ve received is still identifiably yours. But what if it was someone else’s? A cryptocurrency tumbler is a paid service that swaps money between owners, making it practically untraceable.

Because tumblers — also known as mixers — are so effective at obscuring the origins of ransom payments, they’ve become one of the most popular and effective methods for cybercriminals to launder cryptocurrency.

How do cryptocurrency tumblers work?

Let’s say that Alice, Bob and Charlie each own a sum of cryptocurrency, and they’re each interested in making sure that no one knows how they got it. They employ the services of a cryptocurrency tumbler.

Each user empties their cryptocurrency wallet into the tumbler. The tumbler swaps Alice’s money with Bob’s money and then swaps Bob’s money with Charlie’s money. When Alice gets her money back — minus a small fee that goes to the tumbler — the currency she receives doesn’t contain any of the money that she started out with.

In real life, this process is scaled across thousands of users and repeated hundreds of times. This makes it very difficult to determine the origin of stolen funds. Without the cryptocurrency tumbler, here’s what law enforcement would see when they tracked the chain of transactions.

1. A victim purchases some cryptocurrency and transfers it to a wallet owned by an anonymous cybercriminal.
2. The cryptocurrency makes its way through a few dozen wallets and additional blockchains, each owned by more anonymous users.
3. Law enforcement uses DBSCAN to trace these transactions from start to finish, discovering that each anonymous wallet is owned by the same user.
4. Finally, the cryptocurrency is converted into local currency and deposited into an account owned by Alice.
5. Law enforcement subpoenas the cryptocurrency exchange under international KYC laws and identifies Alice, who gets charged with cybercrime.

No matter how often Alice transfers her money, there’s still a pathway connecting her with the original crime. But with the tumbler, there's a new step in between three and four. Previously, the cryptocurrency transactions involved a single large sum of money. Now, that entire sum gets broken up and transferred to other users who had nothing to do with the original crime, and Alice has her ransom money replaced with currency of legitimate origin. The trail ends with the mixer, and no arrest can be made. 

How are law enforcement agencies working against money launderers?

There’s one significant weakness in the cryptocurrency mixer scheme: Unless you’re trying to move or hide money illegally, there’s hardly a legitimate reason to use one. For that reason, global law enforcement agencies have decided to go after cryptocurrency tumblers themselves for aiding and abetting financial crimes. There have been a number of high-profile cases over the last few years, including:

• In 2023, a company known as ChipMixer was shut down by regulators from Germany and the U.S. who seized approximately $46 million in Bitcoin.
• In April 2024, the CEO and CTO of Samouri Wallet were charged with laundering over $100 million of ransomware payments.
• In December 2024, the Russian operators of Blender.io and Sinbad.io were indicted following their arrest for money laundering. 

The result of this has been to give ransomware attackers fewer places and methods to hide their ransoms, making it more difficult to pursue this source of revenue.

How Barracuda can help

Once you’ve paid a ransom in cryptocurrency, it’s gone. Even though global law enforcement agencies may shut down the cryptocurrency mixer, trace the attacker, and seize their assets, it’s very unlikely that the money you spent will ever make its way back to you.

Therefore, administrators need to adopt best practices for defending against ransomware. This means implementing protections such as multifactor authentication (MFA), up-to-date patch management, and microsegmentation. Services such as Barracuda Managed XDR can accelerate threat detection, protect your attack surfaces and augment your resources. Schedule a demo today and learn how we can protect your environment.