Last week, police in Ukraine working alongside other countries' authorities announced that they had arrested several people connected to a ransomware gang that's been hacking and extorting dozens of victims in the last few months. These arrests could have been a big blow for the gang known as Cl0p. But less than a week later, the hackers published leaked data from a new victim, showing that the arrests have not slowed them down.
On Thursday, the popular cryptocurrency exchange Binance published a blog post detailing its role in the bust and confirming that the people arrested in Ukraine were indeed the ones whose job was to cashout and launder cryptocurrency and money for the Cl0p gang. The company called the group FANCYCAT in the blog post, and described it as a group that's been "operating a high-risk exchanger; and laundering money from dark web operations and high-profile cyber attacks such as Cl0p."
A Binance spokesperson told Motherboard in an email that the group they helped identify, "was functioning as the cashout point and money laundering unit for Cl0p, Petya and many other prolific cybercriminal organizations."
"The FANCYCAT suspects were not, in fact, the authors or distributors of the Cl0p ransomware themselves although this group is distributing cyber attacks as well," the spokesperson added.
Biinance wrote that "the biggest security problem in the industry today is money connected to cyber attacks being laundered through nested services and parasite exchanger accounts that live inside" big exchanges such as Binance itself.
"These criminals enjoy taking advantage of reputable exchanges’ liquidity, diverse digital asset offerings and well-developed APIs," the company wrote.
Nicholas Weaver, a senior researcher at the International Computer Science Institute at UC Berkeley, said that this operation shows that exchanges such as Binance face "an existential threat from the ransomware gangs" given their role in the gangs' operations.
Do you have knowledge of the inner workings of Cl0p or another ransomware gang? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, lorenzofb on Wickr and Wire, or email email@example.com
To counter these criminal groups, Binance said it has expanded its detection and analytics capabilities, which helped it to identify money launderers who "deposit and withdraw to each other to wash the money." The exchange said its approach is to implement its own detection mechanisms to identify suspicious activity and work directly with law enforcement to take down criminal groups.
Neeraj Agrawal, the communications director at the cryptocurrency think tank Coin Center, told Motherboard that this operation is a reminder that "over the last decade law enforcement and cryptocurrency companies have become more skilled at tracking the movements of funds through cryptocurrency networks," and that "cryptocurrencies are not necessarily a black box for law enforcement."
In the case of the Cl0p money launderers, Binance said its anti-money laundering (AML) detection and analytics program found suspicious activity on Binance.com and was able to follow the money to expand "the suspect cluster." Then, working with blockchain analytics companies, the company found that "this specific group was not only associated with laundering Cl0p attack funds, but also with Petya and other illegally-sourced funds. This led to the identification and eventual arrest of FANCYCAT."
The Cyber-Police Department of the National Police of Ukraine, which led the operation against the Cl0p launderers, did not respond to a request for comment.
Weaver told Motherboard in an email that the operation shows once again that laundering millions in Bitcoin is very hard, given that by design all transactions on the blockchain are public, "and 'Bitcoin Tumblers' can't and never have worked for large sums." So, he said, criminals attempt to hide inside large exchanges such as Coinbase. However, as this instance shows, some exchanges are getting wise to this and developing tools as well as working with law enforcement to crack down on illegal activity.
For Weaver, this operation "will only matter if ALL the exchanges follow through and do this," because otherwise criminals can just move over to a more forgiving exchange, he said.
Subscribe to our cybersecurity podcast, CYBER.