NEW YORK – Two groups of highly sophisticated cyber criminals likely have stolen some $1 billion in cryptocurrency hacks, a sum that accounts for the majority of the money lost in such scams, according to a new report from Chainalysis.
Moreover, the two entities probably are still active, said Philip Gradwell, the chief economist at Chainalysis, a maker of software that tracks cryptocurrency transactions.
Chainalysis, which released its findings early Monday, spent about three months tracking the funds stolen in known hacks.
The firm said that there is a chance its analysis is incorrect and that it is unsure of the identities of the two groups.
Cryptocurrency exchanges and investors are often targeted by hackers.
More than $1.7 billion has been publicly reported stolen over the years, mainly from exchanges such as Mt. Gox and Bitfinex.
The frequent hacks are a big reason why institutional investors have shunned digital currencies.
Bitcoin and other cryptocurrencies exist as digital currencies on independent networks.
At the heart of that network is an open transaction ledger called the blockchain, a public record of every single transaction in the network’s history.
In an effort to replicate the anonymity of physical cash, those transactions aren’t connected to an identity. That makes catching hackers difficult.
Organized groups such as the hacker collective Lazarus group have been suspected in some bigger breaches, but it was widely believed that the majority of hacks was committed by skilled amateurs acting alone.
Chainalysis’s digital investigators determined that likely wasn’t the case when they analyzed the transaction flows from known hacks.
The firm believes it has connected most of the hacks to two groups, which it labeled alpha and beta.
Alpha is “a giant, tightly controlled organization at least partly driven by non-monetary goals,” Chainalysis said in its report. Beta, the second group, is smaller and less organized, a “heavily sanctioned organization absolutely focused on the money,” according to the report.
Chainalysis said the two hacker groups employed an extensive network of digital wallets to hide their tracks and later converted the money to physical cash through online exchanges and individual transactions.
The stolen funds were transferred an average of 5,000 times before they were converted into cash, Chainalysis found.
Alpha tends to immediately begin shuffling the funds around, according to the report.
One hack involved 15,000 transfers.
The entity converted about three-quarters of its stolen funds into cash within an average of 30 days.
Beta, on the other hand, may sit on the stolen funds for up to 18 months, waiting for any publicity surrounding the hack to fade. “When they feel ready to cash out, they quickly hit one exchange, cashing out over 50 percent of funds within days,” the report said.
Gradwell said the hackers will sometimes use regulated exchanges that employ antimoney-laundering controls.
By the time the funds have gone through all those transfers, he added, it is hard for even regulated exchanges to know they are dealing with stolen money.
The firm hopes that by making this data public, it will provide exchanges with better insight into the threats they face.
“This should change how we think about hacks,” Gradwell said.