Stealing cryptocurrency is relatively easy, it’s quite another thing to withdraw it, experts say.
“The skills needed for initial operation and the skills needed for subsequent laundering are very different,” Arda Akartuna, a blockchain analyst at Elliptic, told Fortune.
The blockchain ecosystem is not designed for anonymous processing of large amounts of money. The possibilities for laundering stolen cryptocurrencies are very limited, especially if we are talking about huge amounts. For example, in the case of the recent hacking of the Axie Infinity blockchain game, Akartuna suggests that the hacker “will face practical and logistical difficulties if he tries to withdraw the entire stolen amount of $600 million at once.”
“Hacking is the easiest part. The most difficult thing is to plan a successful withdrawal in advance. Moreover, the bigger the hack, the less likely it is that hackers will be able to escape with all the money,” said Jonah Michaels, head of communications at the bug bounty platform Immunefi.
Every movement of cryptocurrency and every transaction in the blockchain is recorded in an open digital registry. Therefore, cryptocurrency addresses are only partially anonymous, since their owners can still be tracked by them.
In order to cover their tracks, cybervoys use so-called mixers that allow them to mix their own cryptocurrency with someone else’s. After processing with a mixer, you can withdraw the same amount, but in a different cryptocurrency.
One of the most popular mixers is Tornado Cash. According to Akartuna, as a rule, Tornado Cash is the first stop of cyber thieves after theft. For example, the hacker who hacked Axie Infinity transferred the stolen millions of dollars in cryptocurrency through Tornado Cash.
“It’s very easy to track cryptocurrency without mixers, no matter how much time has passed. All information is visible to everyone in the block chain. Even decades later, people can still send ping notifications for any movement of these funds,” Michaels explained.
In addition to mixers, hackers also convert stolen cryptocurrencies into other cryptocurrencies through decentralized exchanges (DEX) or bridges. DEX are peer-to-peer cryptocurrency trading platforms based on blockchain, in which no intermediaries are provided. DEX themselves process trade transactions using smart contracts without any personal information of users.
For comparison, centralized exchanges (CEX) like Coinbase and Gemini are required to comply with the requirements of the law and request users’ personal data.
The hacker who hacked Axie Infinity made a huge mistake – deposited the stolen funds on the air on the CEX exchanges Huobi, FTX and Crypto.com .
In turn, bridges allow you to move cryptocurrency from one blockchain to another. As a rule, cryptocurrencies are based on their own blockchains that are not compatible with each other. In order to circumvent this restriction, bridges “wrap” the cryptocurrency, turning it into a derivative representing a token from another blockchain.
According to Akartuna, the withdrawal of stolen funds can become such a difficult task for hackers that in the end they will decide to return the loot back. Some return the money for fear of arrest. In the case of the Poly Network DeFi protocol, the hacker who stole $611 million eventually returned the stolen funds, saying that the hacking was just entertainment, he wasn’t really interested in money, and he didn’t intend to leave it from the very beginning.