How Gray Market Cryptocurrency Exchanges Fuel Cybercrime | Intel471

How Gray Market Cryptocurrency Exchanges Fuel Cybercrime

Jun 06, 2023

Virtual currency, or cryptocurrency, revolutionized cybercrime. Criminals no longer needed to transfer funds to each other via payment services and financial institutions. Bitcoin – which relies on a decentralized public ledger and public key cryptography – could be directly sent to another person in a trustless system with no middle parties needed. That sparked a new era where cybercriminals could create online markets for the trade of illegal products, goods and services, all paid for using cryptocurrency. Cryptocurrency also gave a type of cybercrime called ransomware an intensive boost. In a ransomware attack, attackers steal and encrypt data and try to extort victims. Virtual currency meant that attackers could ask for enormous sums that would have been infeasible to transfer using the international banking system.

Bitcoin spawned the creation of other varieties of virtual currencies: Monero, ethereum and tether amongst thousands of others. But it’s far from a perfect financial system for cybercriminals. While threat actors may amass significant funds in these currencies, they face two key issues. First, their cryptocurrency funds are traceable to illegal activity and are, by virtue, unclean. Bitcoin, for all of its promised pseudo-anonymity in its early days, is very much traceable due to advances in blockchain analysis. Also, cryptocurrency funds cannot be widely used to conveniently purchase real-world items.

Additionally, as the virtual currency industry grew in bitcoin’s footsteps, financial regulators around the world saw the rise of alternative currencies as potentially disruptive forces to economies. The speed at which new virtual currencies were created, the general lack of overnight and criminal interest in the industry were also viewed as potential security concerns. As a result, cryptocurrency exchanges that want to operate as legitimate businesses must abide by anti-money laundering (AML) and know-your-customer (KYC) regulations similar to other financial institutions.

This has posed complications for cybercriminals. Although it is possible to indefinitely hold virtual currency, at some point, criminals may want to exchange it for a different cryptocurrency or convert the gains into fiat currency. This has become more difficult, particularly as governments have outlined that close scrutiny and enforcement of regulations on the cryptocurrency industry is integral to countering ransomware. By squeezing the illegitimate channels ransomware operators are using, it increases the difficulty for cybercriminals to use those channels and cash out.

Those enforcement efforts are forcing virtual currency exchanges to innovate in order to serve a criminal customer base. These gray market services do not comply with AML and KYC regulations and often openly advertise that as a competitive advantage. Gray market exchanges often explicitly state they are not interested in the origins of customers' funds and may market themselves on underground cybercrime forums to further make it clear they are happy to deal with funds involved in illegal activity.

This is an example of an exchange advertising its lack of KYC controls and registration requirements as a differentiator.

Cybercriminals can use these exchanges to cash out illegally gained funds to fiat currency or to convert “dirty” cryptocurrency to funds not associated with crime. Because bitcoin’s blockchain ledger is public, bitcoins obtained as the result of criminal activity can be traced, making it a necessity to mask or launder those funds. As such, gray market exchanges play an integral role in the ongoing success of cybercriminals. Threat actors can go on to use laundered cryptocurrency funds for further criminal enterprises or simply cash out to fiat currency and profit from their illegal activity in the “real” world.

In this blog post, Intel 471 analyzes the state of gray market cryptocurrency exchanges. This analysis is an excerpt from a longer research piece. If it is of interest, please contact Intel 471.

How cryptocurrency exchanges work

To better understand the role of cryptocurrency exchanges in facilitating cybercrime, we must consider how threat actors interact with these services. Intel 471 has observed a variety of models for gray market cryptocurrency exchanges. Most exchanges broadly fall within one of two models: peer-to-peer (P2P) or centralized. Their key differences and the associated advantages and disadvantages are explained in further detail below.

Types of crypto exchanges
The diagram depicts the differences between legitimate cryptocurrency exchanges and two forms of gray market exchanges.

Peer-to-peer and centralized exchanges

The most commonly observed gray market exchange model in the underground is the P2P model. P2P exchanges allow customers to trade cryptocurrency assets with one another directly without the need for an intermediary. The exchange allows customers to select a trading partner themselves or automatically pairs customers seeking to trade the same asset. In recent months, this model has been increasingly adapted to using automated channels on Telegram to handle transactions. There are several key reasons this model likely is the most commonly observed for gray market exchanges. P2P does not require the exchange owner to have a large amount of start-up capital. Besides establishing a website or Telegram channel and advertising to customers, overhead is relatively limited.

By contrast, the centralized exchange model requires potentially large reserve amounts of multiple cryptocurrencies and, in some cases, fiat currencies to ensure continued liquidity of trading. P2P exchanges may offer more competitive fees when trading, although this is not always necessarily the case. In many P2P exchanges, trading partners dictate their own fees for trading, which can stimulate more competition among providers to bring down trading fees. Naturally, this is a significant draw to potential traders in the cybercriminal world.

Centralized cryptocurrency exchanges work using an order book system, much like a stock exchange. The centralized exchange dictates the cryptocurrency and fiat currency pairings available and presents customers with the current price of the asset based on the prevailing market price. The currency reserves possessed by centralized exchanges ensure an exchange is more likely to be completed in situations with limited liquidity. Additionally, due to their added complexity and start-up costs, centralized exchanges typically operate in a more professional way and have established themselves over several years. This likely creates a more loyal customer base and trust that transactions will be completed in a timely and accurate manner.

Law enforcement crackdowns

There has been a trend in recent months, particularly in the U.S., of law enforcement cracking down on cryptocurrency-enabled and cryptocurrency-dependent cybercrime. Notable recent examples include the aforementioned seizure of several domains linked to exchanges and the arrest of the founder and majority owner of the Bitzlato cryptocurrency exchange, Anatoly Legkodymov, in January 2023. The increased focus on the role of cryptocurrency in facilitating cybercrime shows how seriously governments are taking the issue. It is likely the recent seizure of nine major cryptocurrency exchanges that eschewed AML and KYC protocols will have a significant impact on the gray market exchange environment. It is likely this operation will have a significant impact on the availability of gray market exchanges in the underground, particularly centralized exchanges, and may result in an increased focus on P2P exchanges hosted via non-traditional means rather than clear web domains.

On April 25, 2023, law enforcement seized the domains of nine illicit cryptocurrency exchanges, including this one for a service called 100btc[.]pro.

Movement to Telegram

As mentioned above, recent moves to crack down on gray market cryptocurrency exchanges likely will have far-reaching consequences for the underground economy. Intel 471 observed an uptick in actors offering simplistic P2P exchanges with limited start-up capital and technical know-how hosted on simple Telegram channels even prior to the recent law enforcement actions. The bare-bones nature of these exchanges, their affordability and the relative anonymity offered by Telegram compared to clear web hosting likely contributed to this rise. Discord also has been used to host similar services, though to a lesser extent. These services also potentially are lucrative for providers who can receive more significant commissions for trades compared to centralized exchanges.

As an example, one threat actor has developed a service using automated Telegram channels to handle transactions. The actor first advertised the Russian-language P2P exchange in October 2022, describing the service as an “anonymous P2P exchange” and explicitly stated the service did not adhere to AML and KYC Regulations. The anonymity-focused exchange allegedly does not conduct any verification checks on customers and does not log any transactions. The service allegedly does not charge any commission on exchanges, which can be conducted between different cryptocurrencies and from cryptocurrency to fiat. The service allows users to deposit, store and withdraw funds in bitcoins and the Tether TRC-20 (USDT) cryptocurrency.

Summary and outlook

Cryptocurrency exchanges — legitimate and illegal — play a crucial role in the continued functioning of the underground economy. Gray market exchanges in particular offer threat actors a reassuring alternative with a certain degree of anonymity. Without the shackles of AML and KYC regulation, threat actors are free to launder dirty cryptocurrency funds via P2P schemes or more industry standard centralized exchanges. The recent seizure of multiple well-established centralized exchanges is a significant and positive step toward eradicating their presence in the underground.

In the immediate future, however, it is likely more dynamic and anonymity-focused P2P exchanges will continue to rise from these ashes due to their simplistic business model and low associated costs. In the longer-term future, it is possible the continued rise in popularity of anonymity-focused cryptocurrency such as Monero may negate some of the need for gray market exchanges, though Bitcoin’s predominance is expected to remain. Intel 471 will continue to monitor developments in the cryptocurrency exchange space, as well as collaborate with law enforcement and blockchain analysis capabilities to track the flow of illicit currency.