Yesterday, the U.S. Treasury Department announced extensive sanctions against Russian businesses and elites following the country’s invasion of Ukraine. This has prompted many to ask Chainalysis how Russia may attempt to use cryptocurrency to evade sanctions.
As is true in traditional finance, some may use crypto for sanctions evasion. But the inherent transparency of blockchains combined with Chainalysis data & tools gives governments and crypto businesses the ability to identify transactions by sanctioned entities and take action.
It’s unlikely that individuals designated in yesterday’s sanctions would move large quantities of crypto now. Russian elites and financial authorities have likely been preparing for sanctions, and would have carried out those transactions slowly over the past few months.
Chainalysis is monitoring for on-chain indicators of crypto-based sanctions evasion by Russian actors. We will alert our partners in government of any relevant activity and provide public updates where possible. So far, on-chain tx vols across the region are stable.
However, exchange order book data reveals one interesting trend. Over the last few days, there’s been a large uptick in transaction volumes for trading pairs involving the Russian ruble and Ukrainian hryvnia (credit @KaikoData).
Between 2/19 and 2/24, ruble trade pairs’ daily tx volumes have grown 8.6x to $124M USD, while hryvnia volumes have grown 8.2x to $42M. Note: This dataset includes five large exchanges for which @KaikoData offers ruble and hryvnia trade pair data.
While it’s possible the tx volume represents illicit actors converting funds into cryptocurrency, it could also be driven by individuals in both countries reacting to the recent devaluation of the ruble and hryvnia and attempting to preserve their savings.
Cryptocurrency adoption and literacy are high in both Ukraine and Russia, as they rank 4th and 18th respectively on Chainalysis’ Global Crypto Adoption Index. We therefore might expect to see citizens turn to crypto in the face of currency devaluation. bit.ly/2XEUHO3
We’ll also be monitoring the cryptocurrency activity of Russian cybercriminal groups. Already, the prolific ransomware gang #Conti has voiced its intent to support Russia in its war efforts and carry out cyberattacks on enemy states.
This wouldn’t be a surprising development. In addition to accounting for the majority of ransomware activity, cybercriminal groups allied with the Russian government launched attacks against the Ukrainian government in the weeks leading up to the invasion. bit.ly/3hjK61C
Overall though, we’re optimistic that the cryptocurrency industry can counter attempts by Russian actors to evade sanctions with crypto. Compliance pros have already proven effective in this regard, as we see from the effects of sanctions on Russian crypto businesses like Suex.
Follow us for more updates on cryptocurrency activity related to Russia’s invasion of Ukraine. You can also download our 2022 Crypto Crime Report for more research on Russian cybercrime, including trends in ransomware and money laundering. bit.ly/3JxuW52
• • •
Missing some Tweet in this thread? You can try to
force a refresh
We can investigate 🔎 this by analyzing the balances of criminal whales. 🐋
Let’s break down how we define criminal whales, how we analyze them, and why tracking their activity is so important.
<<🧵THREAD>>
What is a criminal whale? 🐋
We define a criminal whale as any private wallet holding $1M or more worth of #crypto that has received 10% or more of its funds from illicit addresses.
Over the last several days, we’ve seen media outlets publish faulty blockchain analysis related to the movement of funds by #DarkSide, the #ransomware group behind the Colonial Pipeline hack.
Blockchain analysis firms erroneously identified DarkSide’s movement of funds as a simple peel chain, without identifying the mixer involved. They incorrectly traced the funds to exchanges & other services based on that conclusion. bit.ly/3pSSDxU
A peel chain is a transaction pattern commonly seen in blockchain analysis, in which funds appear to move through several intermediate addresses. Peel chains occur naturally and aren’t inherently obfuscatory or evidence of money laundering. bit.ly/3pSSDxU
THREAD: Based on our blockchain analysis, we can confirm reports speculating that DarkSide #ransomware group has rebranded to BlackMatter. This is part of a trend in which ransomware groups shut down & reemerge with new names, often after law enforcement actions or media scrutiny
Chainalysis was able to confirm the financial connection between DarkSide and BlackMatter in late July '21 a few days before security researchers speculated there was a connection based on similarities w/ their encryption algorithms, decryptors, and more: bleepingcomputer.com/news/security/…
Sometimes following the money can provide an early indicator about a ransomware group’s revitalized operations. In this case, financial connections were made on the blockchain before any attacks were made public on BlackMatter’s blog therecord.media/an-interview-w…
THREAD: Here's a quick summary of our blog on on the Bitcoin donation made in December to alt-right groups and figures involved in last week's violence at the Capitol.
Alt-right personality Nick Fuentes, who was pictured outside the Capitol but denies entering, was by far the biggest beneficiary of the donation, receiving roughly $250K. bit.ly/38J9quj
Other far right figures who received Bitcoin in the donation include Patrick Casey, Vincent Reynouard, and Ethan Ralph, as well as platforms and websites like the Daily Stormer, VDARE, and Gab. bit.ly/38J9quj
THREAD: We published a response to Treasury's proposed rule re: unhosted wallets, analyzing data behind their use, what the industry would have to do to comply & offering thoughts on how the rule could better achieve its purpose to curtail illicit activity bit.ly/3mHLYS2
First, three clear trends from our blockchain data suggest unhosted wallets are primarily used by individuals and organizations to either store their cryptocurrency for investment purposes, or move it between regulated trading venues.
Our first chart shows the vast majority of bitcoin sent between unhosted wallets is sourced from Virtual Asset Service Providers (VASPs), primarily exchanges: