Over the last several days, we’ve seen media outlets publish faulty blockchain analysis related to the movement of funds by #DarkSide, the #ransomware group behind the Colonial Pipeline hack.
Blockchain analysis firms erroneously identified DarkSide’s movement of funds as a simple peel chain, without identifying the mixer involved. They incorrectly traced the funds to exchanges & other services based on that conclusion. bit.ly/3pSSDxU
A peel chain is a transaction pattern commonly seen in blockchain analysis, in which funds appear to move through several intermediate addresses. Peel chains occur naturally and aren’t inherently obfuscatory or evidence of money laundering. bit.ly/3pSSDxU
Ultimately, the faulty analysis came down to the first mistake we cover in our blog: Failure to identify mixers. bit.ly/3pSSDxU
DarkSide in fact sent funds to a mixer and received new funds at another address. Investigators who didn’t know this were in fact tracing funds no longer under DarkSide’s control. bit.ly/3pSSDxU
The error demonstrates how important data quality is in assessing blockchain analysis providers. This is especially important in ransomware investigations, where the use of mixers is a common obfuscation technique. bit.ly/3pSSDxU
Incorrect analysis can lead to erroneous subpoenas, which waste the time and resources of both investigators and the exchanges who are asked to provide information. bit.ly/3pSSDxU
Read our blog to learn about other common blockchain analysis mistakes that can lead investigators astray. bit.ly/3pSSDxU
Note: This Twitter thread was updated from a previous version to include a definition of the term "peel chain.”
• • •
Missing some Tweet in this thread? You can try to
force a refresh
THREAD: Based on our blockchain analysis, we can confirm reports speculating that DarkSide #ransomware group has rebranded to BlackMatter. This is part of a trend in which ransomware groups shut down & reemerge with new names, often after law enforcement actions or media scrutiny
Chainalysis was able to confirm the financial connection between DarkSide and BlackMatter in late July '21 a few days before security researchers speculated there was a connection based on similarities w/ their encryption algorithms, decryptors, and more: bleepingcomputer.com/news/security/…
Sometimes following the money can provide an early indicator about a ransomware group’s revitalized operations. In this case, financial connections were made on the blockchain before any attacks were made public on BlackMatter’s blog therecord.media/an-interview-w…
THREAD: Here's a quick summary of our blog on on the Bitcoin donation made in December to alt-right groups and figures involved in last week's violence at the Capitol.
Alt-right personality Nick Fuentes, who was pictured outside the Capitol but denies entering, was by far the biggest beneficiary of the donation, receiving roughly $250K. bit.ly/38J9quj
Other far right figures who received Bitcoin in the donation include Patrick Casey, Vincent Reynouard, and Ethan Ralph, as well as platforms and websites like the Daily Stormer, VDARE, and Gab. bit.ly/38J9quj
THREAD: We published a response to Treasury's proposed rule re: unhosted wallets, analyzing data behind their use, what the industry would have to do to comply & offering thoughts on how the rule could better achieve its purpose to curtail illicit activity bit.ly/3mHLYS2
First, three clear trends from our blockchain data suggest unhosted wallets are primarily used by individuals and organizations to either store their cryptocurrency for investment purposes, or move it between regulated trading venues.
Our first chart shows the vast majority of bitcoin sent between unhosted wallets is sourced from Virtual Asset Service Providers (VASPs), primarily exchanges:
THREAD: Here’s a quick summary of our blog on how blockchain analysis enabled law enforcement to identify an individual associated with the #TwitterHack who was arrested earlier today.
Background: @TheJusticeDept announced today the arrest of 3 individuals associated with the #TwitterHack - Mason Sheppard, aka “Chaewon,” Nima Fazeli, aka “Rolex,” and a third juvenile defendant known as “Kirk,” the alleged mastermind behind the attack. bit.ly/3fd2hT6
Kirk spear phished Twitter employees to access a Twitter admin panel that enabled him to take over celebrity accounts, which he used t]o promote a trust trading scam. You can read the details on the scam itself here. bit.ly/2BR84jI
[THREAD] Here's what we know so far about today’s #Twitterhack & #Bitcoinscam. As of now, the scam’s main BTC address (bc1...0wlh) received ~$120k in donations in 375 transactions. No funds have been cashed out at exchanges yet.
2/ We know of 2 other donation addresses that were posted by the scammers on hacked Twitter accounts (bc1...d24x and bc1...w39l), which received $6.7k in 100 transactions.
3/ The Ripple address that was posted has not received any funds at this time. There may be other scam addresses; please DM us if you have others.