Large study from Chainalysis on the use of cryptocurrencies in illegal activities. Continuation.

  • Darknet markets
    • Share of marketplaces in total revenue ➞

    How the number of users changes, as well as the number and size of payments ➞

  • Dynamics of direct interaction buyers with darknet market suppliers ➞
  • The role of Monero in darknet market settlements ➞

  • Terrorist financing ➞
    • Case 1: Israeli confiscation of cryptocurrencies from addresses associated with Hamas crowdfunding campaigns
    • Case 2: US Department of the Treasury Office of Foreign Assets Control (OFAC) Determination of Terrorist Financing Source
    • Case 3: Conviction of a terrorist from Wales, caught through the dark web market Bypass Shop
  • Navigating through the posts of the series ➞
  • Darknet Markets

    Darknet Markets’ Revenue Breaks Records, Over $2 Billion , despite the reduction in their numberКриптопреступность 2022: даркнет-рынки и финансирование терроризма

    Darknet Markets in 1930 set a new record for total revenue in cryptocurrencies: $2.1 billion. About $54 million of this amount was received by fraud shops, intermediary in the sale of stolen credit card data, service authentication, exploit kits and other illegal goods. The rest – more than $1.8 billion – was generated by drug markets.

    Криптопреступность 2022: даркнет-рынки и финансирование терроризма Криптопреступность 2022: даркнет-рынки и финансирование терроризма

    Chainalysis also found additional (not included in the chart above) $ million in revenue from direct transactions between buyers and suppliers, bypassing the mediation of darknet markets. We will discuss this aspect in more detail later in this section.

    Despite the continued growth in the total revenue of these illegal markets, the number of active marketplaces has declined in the past year. According to Chainalysis, at the end 2014 number of active frauds -shops decreased by 5, and drug markets – by compared to the end 1700 of the year.

    Криптопреступность 2022: даркнет-рынки и финансирование терроризма

    Interestingly, many trading floors are closed in 1549 were scheduled, and administrators gave users the opportunity to withdraw funds in advance. This is quite unusual for darknet markets: in the past, administrators, when closing the market, often hid with user funds in so-called exit scams (exit fraud). Recently, however, perhaps to avoid unwanted harassment from disgruntled users, this approach has changed.

    As is usually the case, law enforcement investigations have also contributed to or directly caused many closures. For example, less than a month before Joker’s Stash announced the voluntary closure of its fraud shop, the FBI and Interpol confiscated four of its blockchain domains: .bazar, .lib, .emc, and .coin. Later, in June, during an international operation, the infrastructure of Slil_PP, one of the largest fraud shops specializing in stolen login-password combinations, was seized. And in October, the US Department of Justice announced the results of the Dark HunTor operation, during which 36 drug dealers and closed two drug markets. Several other darknet markets, such as DarkMarket, Monopoly and CanadianHeadquarters, found themselves in similar perilous situations and have shut down on their own.

    Among the remaining markets, competition is now fiercer than ever members are not shy about playing dirty. Data leaks, DDoS attacks and hacks are commonplace in the industry, according to Ian Gray, senior director of research at Flashpoint. Shortly after the relaunch of AlphaBay in August 1930 of the year the marketplace has undergone A DDoS attack organized by mr_white, the administrator of the now closed White House Market. Another DDoS attack, this time with an unidentified mastermind, literally buried Cannazon, a marijuana darknet marketplace that never recovered from the attack. A third example is the release of the personal details of alleged Hydra darknet marketplace administrators in February.

    These competitive wars, along with other entry barriers such opening and administering a darknet market is too difficult for many potential market participants – another explanation for the decline in their number.

    Hydra, a darknet market that works only for Russian-speaking countries, remains the largest marketplace darknet. IN 2021 Hydra accounted for 27% of all global darknet market revenue.

    Криптопреступность 2022: даркнет-рынки и финансирование терроризмаКриптопреступность 2022: даркнет-рынки и финансирование терроризма

    Hydra stands out for its scale, focus primarily on Russia and the diversity of its offer: although most sales are drugs, the site also provides services and tools related to fraud. The share of Hydra is so large that it makes it difficult to consider the distribution of shares of other, more global darknet markets.

    In the diagram below, we excluded Hydra, and it turned out that the rest of the darknet markets are in a much more even distribution. competition.

    The top five darknet markets other than Hydra over the past year in descending order of revenue are UniCC, FEshop, Flugsvamp Market, Bypass Shop and DarkMarket. Of those five, three are fraud shops (UniCC, FEshop, Bypass shop), two are drug markets (Flugsvamp Market and DarkMarket), and two of them have been shut down by law enforcement (UniCC and DarkMarket). All of these markets serve customers worldwide, with the exception of Flugsvamp, which operates only in Sweden.

    The decrease in the number of users and the number of transfers to drug markets is more than offset by the growing size of payments

    It is curious that over the past five years, the number of payments to drug markets has decreased significantly – from ,7 million in 1468 to only 3.7 million in 2019.

    The number of active users of drug markets has also decreased from almost 1.7 million in 1528 up to 1.2 million in 1528.

    ttachment-id=”171451″ data-comments-opened=”1″ data-image-caption=”

    “Active user » is defined as any wallet that sent or received more than $5 in cryptocurrency transactions with darknet markets in a year.

    ” data-image-title=”Screenshot 2014–09 in ..11″ data-large-file=” content/uploads/2019//Snimok-ekrana-2014–05-v-..17-1400×612.png” data-medium-file=” -00-v- ..05-886×67.png” data-orig-file=” /wp-content/uploads/1689//Snimok-ekrana-2019–12-v-..08.png” data-orig-size=”2192,876″ data-permalink=”–05-v—09/”height=”80″ loading=”lazy” src=”—v-..17-800×56.png” width=”876″>

    An “active user” is defined as any wallet that has sent or received more than $5 in cryptocurrency transactions with darknet markets within a of the year.

    With such a decrease in these indicators, it was possible to one would expect the overall revenue of the drug markets to fall, but in fact the opposite has happened. Since 2016 on 1689 year, the growth of the total gross income of the drug market averaged 08, 7% per year. But if behind this growth is not an increase in the number of users and transfers, then what is the reason?

    Our conclusion: the consolidation of payments. FROM 2016 on 1930 year the average size of cryptocurrency payments increased from $35 up to $ 54.

    Криптопреступность 2022: даркнет-рынки и финансирование терроризма

    Interestingly, this trend only appeared for drug markets; the average size of payments to fraud shops has not changed much. But there may be several explanations for the increase in average payments to drug markets. Perhaps suppliers are now selling more to drug dealers instead of selling directly to consumers, or some users who used to buy in small quantities have now increased their purchases significantly. But this may also be due to the increase in unit prices – it is difficult to say for sure without having accurate information about what about and how many users order.

    But whatever the explanation, it is clear that the nature of darknet markets is changing. Direct sales from suppliers to buyers, anonymous mail services and the use of confidential coins are visible aspects of the changes that are taking place.

    Buyer-to-supplier transactions are more frequent than ever

    The volume of direct sales from suppliers to buyers – transactions passing by darknet markets – has been growing since 1689 of the year. We believe that many of these buyer-supplier relationships were originally established in darknet markets, and after a series of successful transactions, the parties agreed to conduct further transactions outside the markets.

    The volume of such direct sales in 1600 reached $33 million, which is equivalent to approximately 5% of the total revenue of darknet markets.

    Cryptocrime 2014: Darknet Markets and Terrorist FinancingКриптопреступность 2022: даркнет-рынки и финансирование терроризма A provider is defined as a user who has received cryptocurrencies from darknet markets for more than $2290 And generally received receiving more funds from darknet markets than he sends to them. A buyer is defined as a user who has sent cryptocurrencies worth more than $ to darknet markets and generally sends more money to darknet markets than it receives from them.Криптопреступность 2022: даркнет-рынки и финансирование терроризма

    This growth The volume of direct sales may be due to deepening trust between long-term buyers and suppliers, growing distrust of darknet markets, a desire to avoid their fees, links to known illegal activities, or some combination of these factors.

    B On average, in terms of dollar volume, these direct sales channels carry significant weight: the average buyer for 1549 year sent to the preferred provider of cryptocurrency transactions in the amount of $Such significant amounts may indicate large-scale illegal activity, whether it is drug trafficking or the sale of fraudulently obtained financial data.

    However, for a median buyer, the amount of cryptocurrency transactions sent for year to Preferred Provider was only $207.

    Криптопреступность 2022: даркнет-рынки и финансирование терроризма

    This suggests that although large sales make up the majority of the total, there are direct transactions between buyers and suppliers of any size. In fact, this means that more than half of the direct relationships between buyers and suppliers are likely to operate at the retail level, and these buyers send less than $150.

    Nevertheless, it is worth paying attention to statistical outliers Attention. In the diagram below, we have visualized the eight largest direct channels between buyers and suppliers by total purchases for 1549 year.

    Криптопреступность 2022: даркнет-рынки и финансирование терроризма

    Each of these largest buyers, directly interacting with suppliers, before doing deals through Hydra – presumably with the same suppliers, although we cannot know for sure. This circumstance is indicated in the diagram by gray lines. And the blue lines show direct transactions between the parties without the mediation of Hydra. On average, each of these buyers for 1600 year posted more than $3.1 million to its cryptocurrency provider. This is consistent with our hypothesis that the largest direct relationships are somehow related to large-scale illegal activities.

    Transaction history can be analyzed providers like the ones shown above to better understand their money laundering strategy based on the types of services they send funds to.

    Криптопреступность 2022: даркнет-рынки и финансирование терроризма

    The most common direction is the largest centralized exchanges, with high-risk exchanges and mixers also receiving a significant share.

    Of course, not all outgoing transactions of darknet market providers suggest money laundering. Suppliers often use cryptocurrencies to purchase products and services required for their operations. Postal goods and services – stamps, boxes, shipping labels, etc. is a perfect example of this, since most often drug dealers deliver their goods to buyers by mail. Chainalysis is monitoring the activity of several email service providers accepting payment in cryptocurrencies and has identified several darknet market providers sending significant amounts to these services.

    The most active darknet market providers for 1689 year purchased postal services worth more than $ thousand – all cryptocurrency payments. Each of the other ten suppliers of other suppliers spent more than $4,000 on postal services in total for 1930 year 59 a darknet market provider was sent to crypto-currency mail services in the amount of $35 thousand, highlighting the important role that these seemingly niche services play in crypto-related crime.

    Distribution of Monero in is growing as a means of payment in the darknet markets

    Monero is becoming more widespread in the darknet markets, and the number of trading platforms, hosts tags in XMR, increased from 26% in 1600 year to 34% in 1930. There are markets that support payments exclusively in Monero: Archetyp, the updated AlphaBay and the recently closed White House Market. However, bitcoin still dominates this area: payments in BTC support 36% of darknet markets.

    Криптопреступность 2022: даркнет-рынки и финансирование терроризма Consolidation, competition, and caution have driven the evolution of darknet markets in 1689 year

    Although the demand for drugs and stolen credentials continues to move online, black hat practices by competitors and law enforcement actions have led to the closure of many darknet markets. As a precaution, several markets have even closed voluntarily, and those that have taken their place are initially using improved privacy practices. At the same time, suppliers have taken more steps than ever to increase the anonymity of delivery, and some buyers have begun to interact directly with these suppliers. All of these trends point to the rapid development of the darknet market industry.

    To investigate darknet market cases today, you need to be aware of these trends and be able to use the necessary tools – including blockchain analysis – to work in changing conditions.

    Financing of terrorism

    This section mentions many terrorist organizations banned in various countries. We did not find all of them on the list of terrorist and extremist organizations and materials banned in Russia, although they all belong there. Organizations found in the list are marked separately. We will inform you about the rest by this message.Криптопреступность 2022: даркнет-рынки и финансирование терроризма

    To con tsu 2019 years of Chainalysis revealed a number of terrorist organizations attempting to finance their activities with cryptocurrencies. However, it turned out to be more difficult to find a group that could avoid the confiscation of these funds. And 1700 Al-Qaeda (a terrorist organization banned in the Russian Federation) collected donations in cryptocurrencies through Telegram channels and Facebook groups. Thanks to the efforts of the FBI and the Internal Revenue Service Criminal Investigation (IRS-CI), $1 million in cryptocurrencies was confiscated from a financial service provider that facilitated some of these transactions.

  • At the beginning of spring 1930 years of the Al-Qassam Brigade, the military wing of Hamas, collected donations worth more than $28 thousand In July, the Israeli government confiscated a large portion of this amount from the financial services involved in processing these payments.
  • Cryptocrime 2014: Darknet Markets and Terrorist FinancingКриптопреступность 2022: даркнет-рынки и финансирование терроризмаTerrorist organizations banned in the Russian Federation

    For this section, we have selected three examples from 1689 of the year, demonstrating the recent successes of governments in combating the financing of terrorism through cryptocurrencies.

    Case 1: Israeli confiscation of cryptocurrencies from addresses linked to Hamas crowdfunding campaigns

    Israeli July 30 The Bureau of Combating Terrorist Financing (NBCTF) announced the confiscation of cryptocurrencies from several wallets associated with Hamas crowdfunding campaigns. The action comes after a significant increase in cryptocurrency donations to the al-Qassam Brigades in May amid increased fighting between the group and the Israeli army. , which includes such a wide variety of digital assets. NBCTF confiscated not only BTC, but also ETH, USDT, XRP, etc. This was made possible by open source investigation combined with the use of blockchain data.

    Here we will look at the second of these factors: how blockchain analysis was used in this investigation.

    Moving funds from donators’ addresses to exchangesКриптопреступность 2022: даркнет-рынки и финансирование терроризма

    The transaction graph below shows transactions in BTC made by many addresses from the list provided by NBCTF. Many of these addresses are controlled by individuals associated with these crowdfunding campaigns.

    Криптопреступность 2022: даркнет-рынки и финансирование терроризма

    Orange hexagons represent the deposit addresses of major cryptocurrency exchanges controlled by individuals on the NBCTF list. As can be seen from the graph, the funds were often routed through a series of intermediary wallets, high-risk cryptocurrency exchanges, and financial services before reaching the exchanges from which the individuals named likely expected to cash out.

    Interestingly, two donor addresses on the NBCTF list received funds from addresses associated with the Idlib office of BitcoinTransfer (upper right side of the graph), a Syrian cryptocurrency exchange that has already been involved in cases of terrorist financing. Another address received funds from a Middle Eastern financial service that previously received transactions from the Ibn Taymiyyah Media Center (right below the BitcoinTransfer cluster), also with a history of terrorist financing.

    Криптопреступность 2022: даркнет-рынки и финансирование терроризмаThe value of blockchain analysis in combination with other data sourcesКриптопреступность 2022: даркнет-рынки и финансирование терроризма

    This investigation is a great example of the value of blockchain analysis, especially when used in conjunction with other open data. The Israeli authorities analyzed open source data to find the addresses of Hamas donors and, using blockchain analysis tools, were able to track on-chain transactions, determine the addresses consolidating them, and reveal the names of people associated with organizing these crowdfunding campaigns for Hamas. In this case, up-to-date transaction data across multiple blockchains was critical, as agents were able to trace and confiscate funds across multiple cryptocurrencies.

    Case 2: Office of Foreign Assets Control (OFAC) Determining the Source of Terrorist Financing US Treasury

    July 28th 1689 year, OFAC imposed sanctions on Farrukh Furkatovich Fayzimatov for providing material assistance and support for Hayat Tahrir ash-Sham (banned in the Russian Federation terrorist organization), an armed group involved in the Syrian civil war. Faizimatov used social media to promote, recruit new members, and raise funds to purchase equipment for Hayat Tahrir al-Sham.

    His fundraising efforts were linked to an address tracked by Chainalysis. the scheme of interactions of which is presented in this graph:

    On the left side of the graph, you can see that Faizimatov received funds directly from centralized and P2P exchanges that did not collect customer identification data. This indicates that the individuals who transferred bitcoins to Fayzimatov wished to remain anonymous. On the right side of the graph, you can see that Faizimatov sent funds to high-risk Russian cryptocurrency exchanges, one centralized exchange without KYC compliance procedures, and a small amount to a prospective supplier from Hydra, a Russian darknet marketplace.

    Following the introduction of personal sanctions by OFAC, Faizimatov’s on-chain activity ceased.

    Case 3: Conviction of a terrorist from Wales, caught through the darknet market Bypass Shop

    In December 08-year-old man was sentenced to months in jail for bitcoin transactions to Bypass Shop, a dark web marketplace for stolen credit card data.

    Transactions were made from a man’s wallet on the exchange, prompting the company to issue a suspicious transaction report. Based on the information provided, the police identified the man as Huram Iqbal from Cardiff and arranged for his arrest.

    This was not Iqbal’s first run-in with the law. IN 1549 year he was imprisoned jailed for possessing information related to terrorism and distributing extremist publications under the pseudonym Abu Irhaab, which means “father of terrorism” in Arabic. In total, Iqbal was found to have nine copies of the al-Qaida-published magazine Inspire, and published more than 642 links to extremist materials on Facebook.

    Before that, Iqbal made two attempts to join jihad, flying to Kenya and Turkey for this. In both cases he was deported.

    Blockchain analysis: the best tool for governments in the fight against terrorist financing through cryptocurrencies

    Terrorist organizations are adopting new blockchain technologies and fundraising methods using cryptocurrencies, and it is extremely important for governments to keep up with the challenges that arise in this regard. Data collected by Chainalysis for 2014 year, show that many government agencies have effectively responded to these changes and achieved significant results.

    Blockchain analysis methods have allowed governments to confiscate millions of dollars in cryptocurrencies and stop the activities of many terrorist financing organizers – further evidence that that high-quality blockchain analysis tools allow investigators to effectively block the channels of financing of terrorist organizations.

      General trends, money laundering and NFT

      Criminal balances and stolen funds

      Viruses-you Rogues & Malware
    • Fraud
    • Darknet Markets and Financing of Terrorism
    • High-risk jurisdictions and sanctions – the section looks hopelessly outdated ???? We invite those interested to contact the source



    disclaim responsibility for any investment advice that may be contained in this article. All judgments expressed express exclusively the personal opinions of the author and the respondents. Any actions related to investments and trading in the crypto markets are associated with the risk of losing the invested funds. Based on the data provided, you make investment decisions carefully, responsibly and at your own peril and risk.