Chainalysis claims bulk of ransomware payments head to Russia (Image Credit: Worldspectrum from Pexels)Chainalysis has tracked over US$ 400 million (74%) of ransomware payments. It says that the payments “went to strains we can say are highly likely to be affiliated with Russia in some way.” It came to that conclusion because “most of the extorted funds are laundered through services primarily catering to Russian users.

What it really means is Russian-speaking users or those affiliated with Russian ransomware groups. What is not clear is exactly where the money ended up.

It shows the challenge of attribution, something that the entire security industry suffers from. Just because the services are in Russian only means the users have some aptitude in speaking or writing Russian.

How did Chainalysis tie this to Russian cybercriminals?

One of the key elements of this blog and the claims is where the ransomware originated. In this case, Chainalysis used three criteria to say the ransomware is linked to Russian cybercriminals:

  1. Is the ransomware linked to Evil Corp, a Russia-based cybercrime group? (9.5%)
  2. Does it specifically avoid companies based in the Commonwealth of Independent States (CIS)? (26.4%)
  3. Are there other indicators such as language and affiliate programmes that suggest the ransomware is based in Russia? (36.4%)

Using the above criteria, it was able to show that just 27.4% of total ransomware payments went elsewhere.

Using blockchain to track the money

One of the other indicators that Chainalysis used was where the money was laundered. It used a combination of blockchain analysis and web traffic to identify the wallets that received payments. It found that the majority of funds are laundered through services with operations in Russia.

However, it was only able to show that 13% of the funds went to users it believes to be based in Russia. That puts an interesting emphasis on cybercriminals based in other CIS-states and those who are smart enough to obfuscate their identities by using Russia-based services.

Moscow is a hot spot for cryptocurrency laundering

As part of the research, Chainalysis looked at cryptocurrency businesses either headquartered or with a significant presence in Moscow’s financial district. It found that from Q4/2020, there was a large jump to over $300 million in illicit and risky activity related to cryptocurrency.

The company defines risky as “addresses connected to entities that, while not necessarily inherently criminal, are frequently linked to criminal activity, such as high-risk exchanges and mixers.”

That increase continued over the next two quarters peaking at over $400 million in Q2/2021. It then dropped back in Q3/2021 before increasing to over $200 million in Q4/2021.

What is of more concern is that illicit and risky activity ranged between 29% and 48% of all transactions over three years. That’s a significant amount of funds to be moving through the businesses. Interestingly, ransomware accounts for just 5.5% of those funds. The biggest two areas of suspicious payments are scams (45.6%) and the darknet market (43.1%).

The report lists seven companies and the amount of money they receive from ransomware, scams and darknet markets.

After Russia’s REvil action, will anything change?

That’s a good question. In January, Russia said it had dismantled the REvil ransomware group and arrested its members. It also claimed to have recovered around £4 million, some of it in cryptocurrency. The result was that many cybersecurity companies claimed it had sent a shockwave through the darknet. There was, apparently, concern that this was part of a larger crackdown.

So far, however, there has been no further big announcement and no further information on those arrested. At the same time, if Russia was serious about cracking down on cybercrime, it could start by dealing with those laundering the proceeds.

Enterprise Times: What does this mean?

There are several takeaways from this report. The first is that Russian speaking does not mean Russian citizen. One of the problems of attribution is that usage of a language doesn’t provide detailed geolocation.

The second is, why is so little being done in Russia to deal with cryptocurrency laundering? If the data is accurate, why have no other governments taken action to name the companies Chainalysis lists as money launderers? If countries are going to take cybercrime seriously, they need to cut off the sources of funding, which means action against those businesses enabling it.


Please enter your comment!
Please enter your name here