Crypto Exchanges And The Ransomware Conundrum

Trent Fowler
Jun 14, 2022

According to a piece published in The Wall Street Journal in late April, The New York State Department of Financial Services has recently come out in favor of using blockchain analytics to “ prevent and manage financial risks and potential illicit activities”. Laurel Loomis Rimon, a partner at the Paul Hastings LLP law firm, is quoted as saying:

“Blockchain analytics tools provide companies with an efficient, data-driven way to conduct customer due diligence, transaction monitoring and sanctions screening,” Rimon said, “among other things, which are all critical elements of our virtual currency regulation,”

The NYDFS had strong reasons for making this recommendation. As our recent report on ransomware shows, criminals have increasingly encroached on the legitimate crypto and blockchain ecosystem by using exchanges as cash-out points for the ill-gotten gains resulting from such nefarious activities as human trafficking, child pornography, and ransomware attacks.

A Growing Problem

The cryptocurrency space has long been unfairly maligned as a place for paid assassins and tax evaders to conduct their wicked goings-on outside the bounds of the law. Though the size of the criminal element within the ecosystem has been exaggerated, there is a large and growing amount of crime in crypto, and this is a problem for everyone.

Ransomware payouts roughly doubled on average each year from 2018 - 2021, and it seems like nearly every week, there is an eye-popping amount of money being stolen from some exchange, protocol, or project.

These creative capers began in 2016, when an Ethereum-based decentralized autonomous organization known simply as ‘The DAO’ was drained of 3.65 million ETH — $11 billion in today's prices. The eventual solution was the forking of the Ethereum blockchain into two distinct chains: Ethereum, in which the ledger’s history was rolled back to before the attack and funds were returned to investors, and Ethereum classic, in which this rollback never occurred and the hack is left intact. This decision was controversial at the time and continues to draw scrutiny because, in essence, it violated the famed immutability of the blockchain, in which every transaction is ostensibly unchangeable and permanent.

In recent weeks, the North Korean hacker group, Lazarus, took the popular cryptocurrency game Axie Infinity to the cleaners to the tune of $625 million, and the Beanstalk protocol fell victim to a ‘flash hack’ which relieved it of $182 million.

In some of these cases, it’s difficult to tell if anyone is even technically guilty of wrongdoing. In both the DAO and Beanstalk episodes, the thieves cleverly used the DAO’s own rules in a way that allowed them to make off with a fortune, but it’s unclear exactly what laws (if any) were violated.

But in other cases, there is no such ambiguity. One especially sinister example is an old and relatively obscure threat which has begun to take on ominous new proportions, with implications for national security.

Ransomware: The Specter Haunting Crypto

As we noted in our blog post on the evolution of ransomware, ransomware is a type of malicious software used by cybercriminals to extort money from their victims. Ransomware hackers typically use different social engineering methods, such as phishing, in order to gain entry into a system. They then steal personal or professional information stored on that system before demanding a ransom payment in exchange for its return.

To quote from our ransomware report: “A decade ago, a ransomware attack might have been carried out by a lone actor targeting an individual or a small business and involving ransom payoffs of a few thousand dollars. Today, these attacks are orchestrated by sophisticated criminal enterprises that target massive companies and critical infrastructure, sometimes extracting millions of dollars from victims in a single payment.”

A central factor driving this shift is the heavy use of cryptocurrencies, and bitcoin (BTC) in particular, for payments. With the blockchain, transactions can be conducted outside the system of traditional finance, allowing criminals to rake in money regardless of where they are physically.

Based on internal research, we estimate that ransomware attackers have pulled in at least $2 billion dollars since 2019, with payments amounting to more than $1 billion in 2021 alone.

Our data point to a similar trend in payment magnitude: just shy of 400 individual ransom payments have occurred since 2019 that exceeded $1 million dollars each. In a single year alone (2019 to 2020), the number of such payments increased by 465%. There are even a variety of seven- and even eight-figure payouts larger than any previously recorded.

Ignorance Is No Longer An Excuse

These figures establish that ransomware and related criminal activities are a sizable issue, but one might think that they have no reason to worry if they are a legitimate company with built-in security protocols.

The fact is, even if an exchange is not the target of an attack it should still be concerned about receiving illicit money, as this could directly affect it in costly ways. Under US laws exchanges are required to know their customers, and ignorance is not an excuse.

Given the clandestine nature of their operations, you might expect that criminals in the blockchain space would handle their cash-outs with shady services like darknet markets, gambling sites, and mixers. They often do, but we find that a sizable portion of ransomware funds actually flow out to mainstream services such as exchanges.

In fact, by our estimates, nearly half (43%) of ransomware funds are sent to exchanges. This works out to hundreds of millions of dollars by current prices.

This means that anyone trying to obey the law confronts a twin danger: they must secure themselves from giving their funds to thieves by leaving themselves open to attack, and they must also be concerned about inadvertently receiving funds from thieves by not complying with stringent Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements.

The saying “it is better to give than to receive” isn’t always true, it turns out; sometimes, both are problematic.

Our charts and figures have focused on the exposure that exchanges have to illicit ransomware money, but the point applies more broadly: any legitimate actors in the cryptoasset space need to be on high alert regarding their exposure to any illegitimate source of funds.

The penalties imposed upon those who interact with sanctioned entities (wittingly or not) can be severe.

Luckily, unlike in days past, blockchain analytics can now provide the solution for anyone facing this looming legal crisis.

What is Blockchain Analytics and How Can it Help?

The blockchain consists of an immutable distributed ledger. Every transaction ever conducted with bitcoin, including the addresses sending and receiving, is permanently recorded. And notwithstanding exceptions like Ethereum’s fork to deal with the DAO hack, this ledger is theoretically immutable.

This means that someone with the right technical savvy can protect themselves from legal and regulatory issues by just checking that the addresses they’re receiving funds from aren’t sanctioned or otherwise tied to criminal activity.

There’s just one problem: this is extremely difficult to do.

One cause of this difficulty is the fact that blockchain data is, by default, not particularly human-readable. Though every transaction is recorded in the ledger, the actual entries are just long strings of letters and numbers (i.e. ‘addresses’) sending random amounts of bitcoin to other long strings of letters and numbers.

Following even a few addresses or a few transactions quickly becomes a Herculean task.

What blockchain analytics and forensics companies such as Elementus do is provide a restructuring of the underlying data into a format that’s easier to understand and utilize.

In the graph below, Elementus PulseTM follows a $9.7 million ransomware payment to its cash-out points.

What’s happening in this image? In essence, our team has identified the addresses associated with the different entities involved (each entity is represented by a different icon), algorithmically “clustered” them using our proprietary second-generation technology (so that you see one ‘exchange’ icon instead of 6,000 individual addresses belonging to that exchange), and mapped the flow of funds from the source (red icon at the top), through intermediary addresses (the big gray circle in the middle), and out to the funds’ final destination, including exchanges, payment gateways, and so on (the array of icons fanning out at the bottom).

Constructing this overview would traditionally take weeks of time-consuming manual analysis, but it can be accomplished in seconds with the Elementus platform.

Blockchain Analytics Could Become More Important in the Future

To recap:

  • there is a great deal of crime in the crypto ecosystem
  • much of the money used by criminals flows to mainstream entities
  • there can be severe consequences for accepting stolen funds or interacting with sanctioned entities
  • despite the data made available by the immutable ledger, identifying sources of regulatory risk is difficult because the data are hard to read
  • crypto forensics and analytical software can help identify and automate a number of these tedious and previously technically insurmountable challenges

Though forensics platforms such as Elementus have long been a crucial part of protecting legitimate businesses conducting legitimate operations, they may soon be required for companies wanting to stay in compliance–a “must have” rather than a “nice to have.”

If you’re interested in learning more, please download our ransomware report today and send us an email at

About Elementus

Elementus is a best-in-class blockchain analytics platform that detects a wide variety of bad actors on-chain, enabling legitimate entities in the space to avoid exposure to ransomware funds, solve complex crypto crimes, and remain in compliance.

Powered by SourceFlow™, EntityIndex™, and patent-pending Intelligent Network Expansion™ technology, the Elementus platform automatically examines large structures of on-chain activity to rapidly detect risks that are otherwise impossible to see.

We trace the movement of crypto in an automated fashion, achieving in seconds what previously took days or weeks of manual analysis and making blockchain data more transparent than it has ever been.

Elementus is based in New York City. The CEO and founder is Max Galka.

Follow the crypto — with Elementus.

For more information, please visit