Binance reveals how data analytics led to ransomware-linked money laundering bust

Crypto-exchange exploits OpSec mistakes to bust crooks

Binance offers details on how it is using data analytics to fight money laundering

The Binance cryptocurrency exchange has explained how advances in data analytics helped it track down a group of money launderers involved with various cybercrimes, including the notorious Clop ransomware scam.

Ukrainian police announced the arrest of individuals and the takedown of infrastructure related to the ‘Clop’ ransomware operation earlier this month.

Binance’s statement confirms that those arrested were cashing out and laundering funds, rather than being behind the creation of the ransomware.

The group – also known as FANCYCAT – had their fingers in numerous criminal scams including laundering money for dark web operators as well as ransomware peddlers.

Follow the (digital) money

Analogous with drug dealers, the funds extracted from victims through criminal activity such as ransomware need to be disguised before they can be safely spent in the real world to buy goods. That’s because any funds tied back to criminal activity can become the target of forfeiture orders.

Even if money is already in digital form there is a need to launder it, with abusing exchanges being one of the main techniques in play.

“Blockchain analysis shows a network of money launderers living inside macro exchanges which deposit and withdraw to each other to wash the money,” according to Binance, the Cayman Islands-domiciled crypto exchange.

Based on this insight, Binance was able to apply detection mechanisms to identify and interdict suspect accounts before working with law enforcement to build cases and take down criminal groups, as it explained in a blog post about the investigation.

We applied the two-pronged approach to the FANCYCAT investigation: our AML detection and analytics program detected suspicious activity on and expanded the suspect cluster. Once we mapped out the complete suspect network, we worked with private sector chain analytics companies TRM Labs and Crystal (BitFury) to analyze on-chain activity and gain a better understanding of this group and its attribution.

Based on our analysis we found that this specific group was not only associated with laundering Clop…