“Hive” gang, how cybercriminals launder money with bitcoin
Conditioned transparency. Bitcoin, the first modern and the most popular cryptocurrency, has two characteristics that should balance each other.
On one side, the users don’t need to share identifying information when buying or selling bitcoin. For this reason, this cryptocurrency has often been used by criminals.
On the other side, every transaction the users make is public and traceable, supposedly compensating for the lack of traders’ data. Not always is like that, as the money flow managed by the “Hive” gang shows.
Hive, an investigation on a ransomware group’s incomes
Summary of contents
Seizure of Bitcoin wallets
“Bitcoin is often perecived as an anonymous payment network. But in reality is probably the most transparent payment network in the world”, states the website bitcoin.org.
Indeed, a user needs to open a wallet to trade bitcoin (although their name is not necessary). The wallet has an address (a unique sequence of characters) that allows identification. A public and shared blockchain stores the transactions between wallets, making it possible to go back to the origins of (almost) every fund.
So, even if law enforcement can’t know who’s behind a wallet, they can be aware of whether the money comes from a criminal activity previously detected. Whenever a sum of bitcoin is somehow illicit, authorities can decide to take hold of it (when the transfers are processed under a compliant platform’s control).
According to US company Chainalysis, “governments have seized billions of dollars in cryptocurrency since Bitcoin’s creation. American agencies have seized at least $7.1 billion; London Metropolitan Police has seized half a billion; and law enforcement agencies in Latin America, Europe, and Asia–Pacific have collectively made cybercriminals forfeit billions more.”
Yet, when speaking of traceability, there is a big but.
What is Hive
The Hive is a “ransomware” group similar in tactics and features to “Cl0p” (which we investigated in a previous article).
It is called “ransomware” because the hackers infect a computer or a network (usually a company’ one) with malware (malicious software), blocking access or encrypting the data. Then, they request a ransom for the decryption. The payment is solicited in cryptocurrency to avoid sharing criminals’ data.
Hive was first observed in June 2021, according to the software company Varonis. The same company confirms the gang “is built for distribution in a Ransomware-as-a-service model” (Raas).
The company Crowdstrike explains what “ransomware as a service” is: “a business model between ransomware operators and affiliates in which affiliates pay to launch ransomware attacks developed by operators.” In return, the operators receive a percentage of the victim’s ransom.
Hive puts in place also the “double extortion“. Suppose the targeted entity doesn’t pay the ransom. In that case, the hackers menace to disclose confidential data of the victims stolen during the intrusion. The threat has two steps:
1) block the access to the files through encryption;
2) expose the victims’ files publicly.
The Dark Web portal
Hive, such as “Cl0p”, has a dark web portal to publish the data of entities that don’t accept the group requests. “HiveLeaks” continues to divulge companies’ files departing from the 26th of June of 2021. The last disclosure dates back to the 8th of June 2022.
The website has a dedicated section for each uncooperative targeted entity. For every victim, you can find a link redirecting to files with the data stolen by the hackers. In addition, you can see the date of the files’ encryption and the date of their disclosure.
Date and Time of encryption and disclosure for a targeted entity on HiveLeaks
The interval between the encryption and the disclosure on the gang’s portal varies from 6 months to 4 days. It could depend on the negotiations the hit company tries to carry out with the criminals.
Indeed, the gang usually sends an extortion message explaining how to pay the ransom. When the victim replies or clicks on a link in the communication, the hackers start a countdown. At the moment the clock strikes without payment, the data are published.
You can find two buttons at the far right of every portal’s section. Clicking on them, every visitor can share the disclosed information via Facebook or Twitter. The threat of publicity is a tactic to induce the ransom payment.
The Bitcoin addresses
BLIN Analytics is a Swiss company providing investigation and tracking services in blockchains. In a report from January 2022, they identified three bitcoin addresses marked as connected to the Hive gang (using the software Reactor, programmed by Chainalysis).
Hive requests the payments from cooperative companies in cryptocurrencies, and then the hackers move the incomes through bitcoin wallets. Seeing the path of the money can help understand the criminals’ actions.
The first Bitcoin address
The first address shared by BLIN Analytics (and related to Hive) is “3JQPmouFTZx4ugAETYgLZPrX3mWZwxEQp9”.
According to “Blockchain Explorer”, a search engine showing the movements in several blockchains, the wallet’s balance is now 0. It received 18.83687410 BTC (BTC is the monetary unit of Bitcoin) on the 17th of August 2021 at 22:55, and it sent the same amount, 18.83687410 BTC, on the 17th of August at 23:55. No more movements from or to the address. The wallet appears created only to transfer money, maybe to tarnish the path of the capital.
As we said, the blockchain is public and traces every movement. Yet, tracking the money with “Blockchain Explorer” is tricky and time-consuming: the activities could be hundreds, and the transfers’ path could be non-linear.
Maltego, a graph tool
A proper (paying) tool to track the transfers and display them in a clear graph is “Maltego”. It is popular among forensics, cybersecurity experts, and investigation companies. Maltego shows the relations between different cryptocurrencies’ wallets by querying the Bitcoin address we are investigating.
The slightest enquiry starting from this address shows some results. All the search-related wallets (displayed in the graph below as circles) have a balance of 0: they received the money once and then sent the same sum within a short time.
Hive Bitcoins’ Flow Graph
In almost all the cases, the sending went to two different addresses, as the arrows show in the graph. The initial sum is split in two:
1. A more considerable amount is moved to a wallet, from which the money is sent again;
2. One smaller amount went to another different wallet, repeating the same procedure: resending to other wallets.
The same scheme happens dozens of times.
The second Bitcoin address
Going back to the money’s origin of our first address, “3JQPmouFTZx4ugAETYgLZPrX3mWZwxEQp9” (marked with a blue line on the right of the graph), we can see that the bitcoins come from two different wallets (“19wEP7uMkW2yWsGV8VWZnX2ENSa6RBFKyj” and “bc1q9wmxlul7gku63rdc62fzwsyujtazxwcvrfj7ut”).
[The primary (traceable) source of this money appears to be the wallet “3KCWQtzKrCoW5yWa9qjEimnF9ERSgrM3Hg”, which managed over 400 BTC, sent to at least 45 different bitcoin addresses].
The second address identified by BLINAnalytics as related to Hive, “bc1q8fm0rtjcrn0f8f5325vdmqqecrf9ktqkfyndg6” (the other marked with a blue line on the left of the graph), has the exact origins of the first address previously investigated: the same two wallets.
The diagram shows that the money’s flow from these wallets has a bifurcation and follows two different paths.
Without following every ramification, we can see that, in the end, the two flows join again in another wallet: “2bc1qavs90pqayhgxcreudu2rhgns8hfagp3ms8ztl8” (marked with a red line, at the bottom of the graph).
Like the other cases, this wallet’s balance is now 0: it received and sent money only between the 17th and the 18th of August 2021, then stayed inactive. But unlike the others, this wallet forwarded the money to at least 117 different Bitcoin addresses with two only outgoing transactions.
It’s a “Wasabi wallet”, according to BLIN Analytics.
What is Wasabi
Wasabi is a privacy-focused Bitcoin wallet that implements coinjoin.
Coinjoin is a so-called “mixing” tool. It is a mechanism by which multiple users combine their coins into one significant transaction with various inputs and outputs.
An external observer couldn’t determine which output belongs to which input, nor could the participants themselves. It should be difficult to trace where a coin originated from and where it was sent.
The third Bitcoin address
The third address identified by BLIN Analytics as related to Hive (independent from the other two) is “bc1q6m50syqmtw8aln0p0sxxzy7kg8zusrrhy82z05”. According to “Blockchain Explorer”, the wallet’s balance is again 0. It received 19.57117772 BTC on the 5th of August 2021 at 21:01, and it sent the same amount, 19.57117772 BTC, on the 5th of August 2021 at 22:04. Then, the wallet remained inactive.
In this case, the wallet’s owner split the money again into two different wallets. One of them (“bc1qe0uarfexedpa5k20uw042vl3dc3p3lr9m0xdap”), now with balance 0, sent the money to at least 142 different bitcoin addresses. According to BLIN Analytics, it is another Wasabi Wallet.
Wasabi security
BLIN Analytics informed in January that “behaviour patterns and Wasabi user errors allow linking deposits and withdrawals in the chains of Coinjoin transactions”.
In February, an article on Forbes by journalist Laura Shin disclosed the capability of “de-mixing” Wasabi transactions deployed by ChainAlysis, making it possible to track the movements.
After this announcement, Wasabi’s primary competitor, Samourai Wallet, accused Wasabi Wallet creator “Nopara” of having “dropped the ball”.
Fun fact. Wasabi 🍌 never implemented ZeroLink. They didn’t even come close to doing so. Nopara dropped the ball early on and went for the easy out: a peel chain. Chainalysis runs rings around Wasabi 🍌. pic.twitter.com/bLmyDt7qip
— TDevD [No KYC, no T&C, no 🍌] (@SamouraiDev) February 23, 2022
Indeed, Wasabi failed on the so-called “ZeroLink technique”, somehow making the money flow detectable. The ZeroLink mixing technique requires no links between mixed and unmixed Bitcoin addresses. Wasabi merged them, leaving some trails: the mixing was unuseful.
On the 15th of June, the creators of Wasabi announced the launch of a renewed service: Wasabi Wallet 2.0, “initiating a new era for Bitcoin privacy”, their official website states. It’s difficult to say if something will change.
However, other mixers are indeed safer. “Samourai Wallet uses Whirlpool, a ZeroLink coinjoin implementation that it created”, Protos journalistic website explains. “This protocol mixes transactions from five participants during each mix to create 1,496 possible interpretations per mix”.
What to do with the illicit funds
“Money laundering consists of nothing more than transferring money, and every transfer leaves an indelible trail”, the British financier Bill Browder writes in his 2022 book “Freezing Order“.
When there are proofs of a criminal bitcoins’ flow, “investigators coordinate with the business where the cryptocurrencies are held to either transfer them into a government-controlled wallet or maintain an indefinite freeze”, Chainalysis revealed.
However, mixing services can reduce the bitcoin path’s certainty to probability. The transfers’ traces can be at least obfuscated. Bitcoins’ full transparency is still only a desire.
