mixers

Push to ban ransomware payments following Australia’s biggest cyberattack

The hack on Latitude Financial is Australia’s biggest cyberattack, with driver’s license numbers, passports and financial documents among the stolen information.

The Australian government is being pushed to ban the payment of cyber ransoms, usually demanded in cryptocurrency, following a local business suffering a mass data breach and subsequent ransom demand.

Australian consumer lender Latitude Financial first announced on March 16 that it was hit by a cyberattack and provided an update on April 11 indicating that it had received a ransom demand that it’s refusing to pay:

“In line with advice from cybercrime experts, Latitude strongly believes that paying a ransom will be detrimental to our customers and cause harm to the broader community by encouraging further criminal attacks.”

The attack resulted in around 7.9 million Australian and New Zealand driver’s license numbers being stolen, in addition to 6.1 million customer records, 53,000 passport numbers and 100 customer financial statements.

The Australian government’s lead cybersecurity agency, the Australian Cyber Security Centre (ACSC), currently recommends that victims of ransomware attacks never pay a ransom, saying there’s no guarantee the information will be returned instead of being sold online.

*The ACSC’s tips on responding to a ransomware attack. Source:* *ACSC*

Despite the recommendation, there is currently no law prohibiting firms from paying ransoms and the latest attack on Latitude prompted many from the Australian tech industry to call for new rules to outlaw it.

Wayne Tufek, the director of cybersecurity firm CyberRisk, told media outlet The Australian that “making ransom payments illegal would act as a deterrent for criminals to continue attacks if they know that they won’t be paid large sums of money.”

The director of technology law firm Biztech Lawyers, Andrew Truswell, also told The Australian that a law restricting ransom payments should be considered.

Cyber Security Minister Clare O’Neil is currently weighing if ransom payments should be made illegal following suggestions from a review of Australia’s cybersecurity strategy led by Andy Penn, the former CEO of telco firm Telstra.

Cyber criminals cheat, lie and steal. Paying them only fuels the ransomware business model.

They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals.

— Clare O'Neil MP (@ClareONeilMP) April 11, 2023

The ACSC suggests that Australia is particularly attractive to cybercriminals due to its prosperity, with Australians often cited as having the highest median wealth per adult in the world.

Cryptocurrency has long been accused of facilitating ransomware attacks, as attackers often demand payment in crypto in order to anonymize the funds and transfer them across borders.

One of the ways in which crypto facilitates ransomware is through its ability to anonymize funds through the use of mixing services such as Tornado Cash.

At a Feb. 28 United States Senate Banking Committee hearing, a former deputy national security adviser for international economics in the Biden administration, Daleep Singh, said that “digital assets are essential to the business model of ransomware,” with “close to 100%” of cyber attackers paid off using crypto.

Hodler’s Digest, April 2-8: BTC white paper hidden on macOS, Binance loses AUS license and DOGE news

Into the storm: The murky world of cryptocurrency mixers

A handful of obfuscation protocols are competing for the user base of OFAC-sanctioned Tornado Cash.

Cryptocurrency mixing services are a divisive subject in the industry. Some advocate for the privacy-enabling features of these protocols while others maintain that they are mainly used for illicit means.

For platforms like Tornado Cash, the mainstream verdict is “guilty as charged.” The infamous decentralized mixing protocol was sanctioned by the United States Office of Foreign Assets Control (OFAC) in August 2022, essentially making it illegal for anyone to make use of the service.

Tornado Cash continues to be a contentious topic and one of its developers, Alexey Pertsev, controversially remains in detention in the Netherlands while investigators look to build a case against the Russian developer and his alleged role in the mixer’s operation.

In a proverbial sense, one man’s loss is another man’s gain and that seems to be the case for cryptocurrency mixers according to a report from blockchain analytics firm Elliptic.

A blow to money-laundering operations

As highlighted in its analysis, Elliptic reveals that over $7 billion worth of cryptocurrencies were processed by Tornado Cash. An estimated $1.54 billion of illicit cryptocurrency was laundered through the platform, with a user base that included the likes of North Korean Lazarus Group state hackers.

In the wake of OFAC’s sanctions, Tornado Cash liquidity pools saw their holdings drop by 60% which is said to have drastically reduced the anonymizing potential of the platform for large-scale money laundering operations.

With Tornado Cash ostensibly shut down, a number of alternative mixing services have been identified as potential threats to cryptocurrency service providers and criminal investigators. Elliptic highlights six different protocols that have been used as mixers in the wake of Tornado Cash’s prohibition.

Not all mixers are being used for illicit means

Elliptic’s report unpacks how these mixer protocols operate in different ways and provide a variety of outcomes for potential users. A top-down view shows that these obfuscation protocols have mixed over $41 million of cryptocurrency, which pales in comparison to the total amount that was processed by Tornado Cash.

Ether (ETH), BNB (BNB), Wrapped Ether (wETH) and Tether (USDT) are the most commonly mixed tokens, given their usability within decentralized finance (DeFi). Elliptic’s figures notably exclude Polygon-based tokens.

Two particular protocols account for the highest mixing capacity of the tools analyzed and as a result, make up three-quarters of the cryptocurrency mixed.

The first is Railgun, a decentralized protocol that, according to Elliptic, caters to professional traders and DeFi users looking to conceal investment strategies. Railgun Privacy System removes wallet addresses from transactions on public blockchains using zero-knowledge-proof technology. It claims to be ERC-20 token compatible and has no mixing limit.

Cyclone Protocol is the second protocol, a Tornado Cash fork that touts a number of enhancements said to include yield farming to contributors of anonymity pools. Elliptic reports that Cyclone is able to mix 100 ETH/100,000 USDT in one instance and is available on IoTEX, Ethereum, BNB Smart Chain and Polygon.

Aside from Cyclone, which Elliptic highlights as the highest risk protocol among the six in its report, funds being mixed by these services “largely reflect legitimate DeFi trading activity.”

Just $40,000 of mixed funds were traced back to DeFi thefts which suggests that current activity reflects a lack of adoption of these alternative mixing protocols by nefarious actors and criminal elements.

Keeping tabs

Despite the fact that a relatively small amount of cryptocurrency has been mixed by nefarious actors, Elliptic still provides a cautionary note aimed at a couple of the services it highlighted.

Cyclone Protocol is identified as the highest-risk service in the wake of Tornado Cash sanctions. The service’s high transaction limit, large liquidity available in its mixing pools, and its ability to process Tornado Cash’s eponymous governance token (TORN) are cause for concern according to Elliptic:

“It’s confirmed use to launder at least some proceeds of DeFi exploits, the large amount of funds it has since processed and the apparent absence of its developer team to address concerns only strengthen these risks.”

Buccaneer V3 (BV3) was scored as a “medium-high” risk tool. The Ethereum-based token (BUCC) allows users to “bury” funds for an indefinite period of time without having to mix, pool or cycle transactions. A decoy mode displays fictitious BUCC balances on user interfaces as an obfuscation technique.

The service could be attractive for illicit use cases as it makes use of a Gas Station Network in order to pay transaction fees by claiming a small proportion of transferred BUCC. This could allow users to avoid using regulation-compliant cryptocurrency exchanges and services:

“BV3 therefore claims that it solves the ‘funding problem’ — the issue that addresses typically need to source ETH to pay transaction fees, typically from a centralized KYC exchange.”

A caveat provided by Elliptic is that BV3 uses technology that is still being tested, with its features and capabilities still to be fully realized. The remaining four protocols all have factors that Elliptic believes will inhibit large-scale illicit use.