Chainalysis crypto crime briefs

Chainalysis crypto crime briefs highlight three sketchy firms

The blockchain intelligence firm reports on a dark web hosting site, a potential Ponzi scheme, and a sanction-busting cryptocurrency exchange linked to a ransomware gang

UPDATE, July 22, 2020: On July 10, 2020, Modern Consensus received a letter on behalf of CoinDeal from Dawid Wasilewski, an attorney in Wrocław in western Poland. Regarding our story, which was published May 6, 2020, Mr. Wasilewski asserts that this story, and those from other publications based on the same information, is inaccurate in suggesting “closer ties between all three entities than meets the eye.” Modern Consensus did not reach that conclusion itself, but merely reported the true fact that Blockchain intelligence firm Chainalysis did in fact raise those concerns in a detailed report. We are adding here Mr. Wasilewski’s strong denial of the Chainalysis findings.

According to Mr. Wasilewski, 

“We hereby confirm that FutureNet, its owners or its affiliated companies are not personally or financially connected with CoinDeal ltd., its owners or any companies of CoinDeal’s owners. Any insinuation that CoinDeal is affiliated with FutureNet or its business is false and defamatory, and under current circumstances surrounding FutureNet, significantly harms goodwill and trademark of CoinDeal.

Any relations owners of CoinDeal (and their other companies) had with FutureNet business were relations of an independent contractor. Those services included and were limited mainly to listing FTO on CoinDeal exchange in April 2018, providing services of bitcoinAPI since March 2018, and developing a mobile app by a softwarehouse company belonging to Adam Bicz, Kajetan Mackowiak in the beginning of 2017 (without any MLM elements).

Bitcoin API was never owned, operated or created by FutureNet. Indeed FutureNet used bitcoin API but in (sic) didn’t own any part of it – it used it as would any other client would (sic). There are no, and were none, personal links between BitcoinAPI/Paycoiner and FutureNet.”

Modern Consensus has not confirmed or disproven Mr. Wasilewski’s characterization of the relationship between FutureNet and CoinDeal. We stand by our reporting of the fact that Chainalysis issued a report making those conclusions and reiterate that we offer no additional conclusions of our own.

Blockchain intelligence firm Chainalysis has launched a series of crypto crime briefs are designed to cast a spotlight on dubious organizations that could be of interest to law enforcement agencies, regulators, and cybersecurity experts.

The blockchain intelligence firm says the first three cases highlighted in its reports are not currently under active investigation—but it is urging governments and legitimate businesses in the crypto sector to look into the transactions for themselves.

The case of the North Korea connection

Chainalysis crypto crime briefs
Chainalysis CEO Michael Gronager (Photo: Chainalysis).

The first of the Chainalysis crypto crime briefs delves into Black Host, a “bulletproof hosting provider.” These businesses allow users to establish websites while staying anonymous—and given the fact that they’re often lenient about the type of content that’s published their platforms, ties have been established to malicious actors. Services can be purchased using cryptocurrency, further muddying the money trail and helping criminals keep their true identity under wraps.

Chainalysis claimed that Black Host has received payments from a crypto address that’s tied to the notorious Lazarus Group, a cybercrime outfit that’s been linked to the North Korean government. (As reported by Modern Consensus last year, it’s believed that Pyongyang has been able to fund research into nuclear weapons by stealing an estimated $2 billion from crypto exchanges.)

For Black Host, it seems counting Lazarus Group as one of its clients has been worn as a badge of honor. The blockchain intelligence firm said the infamous hackers’ use of Black Host is mentioned in ads on darknet websites promoting its hosting services before adding that they are available for just $1.95 a month. Bargain.

The only question that leaves is why Lazarus even needed Black Host to begin with. As the Chainalysis report said, the group’s strategy for hacking exchanges often involves “sophisticated phishing campaigns in which the hackers create made up companies complete with fake websites, employees, social media accounts, and email addresses.” Attackers then posed as employees of these fictitious firms in order to dupe unsuspecting exchange staff into downloading malicious software.

“Black Host would be a logical choice given its focus on anonymity and promise to keep its customers’ websites up under virtually any circumstances,” Chainalysis added.

The case of the sophisticated Ponzi scheme

The second of the Chainalysis crypto crime briefs paints a picture of intrigue, with an investigation into a seemingly ordinary Ponzi scheme opening up an expansive scamming infrastructure made up of shell companies.

Charles Ponzi’s mugshot (via Wiki Commons).

It all began with FutureNet, a Poland-based multi-level marketing company that allows users to buy digital advertising packages that can then be sold on to others. Purchases are made in Bitcoin and “returns” are received in a native cryptocurrency known as FuturoCoin—a structure that, according to the blockchain intelligence firm, smacks of PlusToken, an infamous Chinese Ponzi scheme that stole $2 bilion in 2018 and 2019

“Blockchain analysis suggests that FutureNet’s administrators built an infrastructure of shell companies to facilitate its payments to and from victims, possibly to lend more legitimacy to the company and create a degree of separation between them and the transactions,” the Chainalysis report warns.

Victims are asked to make payments using a merchant services provider known as BitcoinAPI, while “profits” are deposited in accounts with the CoinDeal exchange. The Chainalysis investigation suggests there are closer ties between all three entities than meets the eye—and that they may even be owned by the same entity.

The authors of the brief say there is a clear motive behind this: making victims believe that they are using a multitude of independent companies, and giving them a false sense of protection in the event something goes wrong with FutureNet. But as the report adds: “FutureNet administrators may also believe that separating the payment mechanisms from the Ponzi scheme itself will make it more difficult for law enforcement to investigate them.”

According to Chainalysis, vigilance in the crypto sector against such tactics is nothing short of crucial, as they can make uncovering scams harder. Calls have been made for exchanges to be on the lookout for deposits from addresses that have ties to FutureNet, BitcoinAPI, and Coindeal, as it could be evidence of money laundering or an attempt to launch an exit scam.

The case of the Iranian exchange

Chainalysis’ last crypto crime intelligence brief shines a light on an Iranian cryptocurrency exchange known as Farhad.

This is an unusual proposition to begin with. Although Iran has been cut off from the vast majority of international exchanges, mainly because these platforms fear violating sanctions imposed by the United States, it still appears to be possible to buy Bitcoin and other cryptocurrencies in the economically isolated country.

Farhad enables Iranian rials and some stablecoins to be exchanged for BTC, ETH and USDT—complete with detailed guides on how to complete these transactions. The twist is that a notable user of this service appears to be Ali Khorashadizadeh, an Iranian man who is on sanctions lists for his role in helping a ransomware gang exchange ill-gotten Bitcoin for rials.

The ransomware was known as SamSam, and it’s estimated its creators managed to elicit $30 million in payments from more than 200 victims in the U.S., healthcare providers and city governments among them. “Based on the timelines of the transactions, it’s possible that the transfers from Khorashadizadeh’s sanctioned address to Farhad Exchange are the result of efforts to launder SamSam funds,” the report adds.

Three separate cases, each showing how businesses and the public remain at risk from malicious actors in the crypto sphere. Worse still, according to Chainalysis many of these organizations continue to operate with impunity.

 You May Also Like

Connor Sephton is a journalist with an interest in cryptocurrencies, personal finance, and financial inclusion—as well as the challenges the crypto industry faces in achieving mainstream adoption. He owns cryptocurrencies.