• How Binance Aided in the Takedown of a $500 Million Ransomware Gang

  • This summer, international law enforcement agencies working with Binance, the world’s leading exchange, infiltrated Fancycat, an international organization of cybercriminals responsible for over $500 million in ransomware crime.

    Last June, cyber police units from Ukraine, Korea, the United States, Spain, Switzerland, and others working with Interpol raided 21 addresses in Kyiv. Between 2019 and 2021, six members of the cybercriminal ring were accused of using malicious software known as ransomware in conjunction with other cybercrimes. Their targets were Korean companies’ and American universities’ servers.

    Binance stated in a blog post about its involvement in the operation, “our ongoing partnerships with law enforcement, as well as security and blockchain analytics firms, will be a driving force in improving cybersecurity measures across the wider crypto industry.” With this in mind, the exchange has increased its in-house anti-money laundering (AML) detection and analytics capabilities over the last year.

    Ransomware’s lethal consequences

    According to research, illicit activity accounts for less than 1% of all cryptocurrency transactions, but it is still widely used for ransomware, which is now the most serious threat to any organization’s online security. Furthermore, according to cybercrime researchers, one of the most active ransomware organizations, Clop (aka Cl0p), has been ramping up activity in 2021.

    Ransomware has been used to compromise healthcare records, disrupt supply chains, and has the potential to be lethal. In Germany last year, a woman died after her ambulance was turned away by the nearest hospital because ransomware had crippled the digital infrastructure used to coordinate emergency treatment.

    According to Binance, cybercriminals frequently use cryptocurrency exchanges and virtual asset service providers (VASPs) to launder their gains, casting a cloud over the entire industry.

    Platforms, dubbed “Bulletproof Exchangers” by Binance, frequently serve as cash-out points for cryptocurrency operations linked to financial crimes and other fraud. They typically have lax know-your-customer (KYC) and anti-money laundering (AML) regulations.

    “Blockchain analysis shows a network of money launderers living inside macro exchanges who deposit and withdraw to each other to wash the money,” according to Binance.

    According to Binance data analyzed by blockchain analytics startup TRM Labs, these platforms, which are frequently based in areas with little enforcement or regulation, are linked to ransomware attacks, exchange hacks, and darknet-related activities.

    “The most serious security issue in the industry today is money connected to cyberattacks being laundered through nested services and parasite exchanger accounts that live inside macro VASPs, including exchanges like Binance.com,” the exchange says.

    Collaboration will be maintained.

    Binance’s collaboration with international law enforcement was not its first. In 2020, it launched its Bulletproof Exchanger Project, a dedicated anti-ransomware initiative in which Binance collaborated with the Ukrainian Cyber Police.

    Last year, the operation uncovered a large cybercriminal organization accused of laundering more than $42 million in illicit funds.

    However, in addition to continuing to work with authorities, the exchange is focusing on improving its own detection mechanisms, in collaboration with TRM and analytics firm Crystal, developed by blockchain technology firm Bitfury.

    Binance has implemented mechanisms to help identify and shut down illicit activity in order to combat the ransomware threat. The Binance Sentry team and its analytics arm, the Security Data Science team, which identifies transactions between Binance and high-risk entities, build and run these.

    Prior to the Fancycat sting, for example, Binance and its analytical partners were able to analyze on-chain activity and gain a better understanding of the group and its connections to the larger criminal underworld.

    They mapped the suspect network and determined that the group was linked to Clop as well as other ransomware operations such as Petya by using data sets and detection algorithms trained on historical attacker data to flag potentially malicious activities. According to Binance, the analysis was critical in identifying Fancycat and led to the arrest of its members.

    Tracking down web criminals can be a profitable business. The US State Department is offering cryptocurrency bounties to dark web informants in exchange for information on hackers deemed a threat to the country. A total of $10 million has been pledged for the venture.

    According to the exchange, Binance security teams are now working to apply big data techniques to further security research and investigations of crypto-related criminal activity.

    The exchange stated that it intends to “dissolve additional criminal groups for an overall safer community” through partnerships with security and blockchain analytics firms.

    What's your reaction?