Cryptocurrency exchange Binance says it recently assisted law enforcement officials in tracking down individuals who allegedly laundered millions for the Clop ransomware group.
Binance, an exchange that started in China but is now registered in the Cayman Islands, says the work was part of an effort to expand its anti-money laundering and analytics capabilities to detect abuse of its exchange by criminals.
In May, news agency Bloomberg reported that Binance Holdings Ltd. was under investigation by the U.S. Justice Department and Internal Revenue Service. The company, however, denied any wrongdoing and stressed its cooperation with law enforcement agencies.
“We believe that strong controls across exchanges, smart legislation and ongoing education will help immensely with weeding out bad actors,” the exchange says in a blog post. “Our ongoing partnerships with law enforcement, as well as security and blockchain analytics firms, will be a driving force in improving the cybersecurity measures across the wider crypto industry.”
A comprehensive study released by the Ransomware Task Force said a key strategy for fighting against attacks is disrupting the business model and decreasing profits. That includes encouraging cryptocurrency exchanges to comply with anti-money laundering, anti-terrorism and know-your-customer requirements (see: Fighting Ransomware: A Call for Cryptocurrency Regulation).
Ukrainian authorities, in cooperation with Interpol and U.S. and South Korean law enforcement agencies, announced the arrests on June 16 of six individuals who they say aided the Clop ransomware gang.
Ukrainian police executed 21 searches, seizing $185,000 in cash, computer equipment and cars (see: Ukraine Arrests 6 Clop Ransomware Operation Suspects).
“These criminals enjoy taking advantage of reputable exchanges’ liquidity, diverse digital asset offerings and well-developed APIs.”
Clop, which has been around for more than two years, is a ransomware-as-a-service group that offers its ransomware to affiliate partners for deployment in exchange for a share of the ransoms.
Clop was responsible for releasing the data of a number of organizations that used Accellion’s File Transfer Appliance, in which several zero-day vulnerabilities were discovered starting late last year (see: Qualys Gets ‘Clopped’ by Accellion-Exploiting Attackers).
Clop’s Activities Continue
After Ukraine’s announcement about the arrests, the security firm Intel 471 said the bust didn’t appear to affect the activities of the Clop gang, which is believed to be based in Russia.
“The law enforcement raids in Ukraine associated with Clop ransomware were limited to the cash-out/money laundering side of Clop’s business only,” according to Intel 471. “We do not believe that any core actors behind Clop were apprehended and we believe they are probably living in Russia.”
The website Clop uses to leak the data of its victims is still online. And managed threat intelligence services provider SOS Intelligence reports via Twitter that the gang recently added a new victim page to its website, indicating the gang is still active.
The CL0P Ransomware gang have added a new victim page to their website. Suggesting that the gang recently arrested were not the same or only some of the members were arrested. #CL0p #Ransomware pic.twitter.com/XoBsOGd7J7
— SOS Intelligence (@SOSIntel) June 22, 2021
The new victim on the landing page is Valley Truck and Tractor, SOS Intelligence says. That company was not available for comment.
Using Blockchain Analytics
Binance says the biggest security problem in the cryptocurrency industry is the laundering of money that comes from cyberattacks.
“These criminals enjoy taking advantage of reputable exchanges’ liquidity, diverse digital asset offerings and well-developed APIs,” Binance says. “In a majority of the cases associated with illicit blockchain flows coming onto exchanges, the exchange is not harboring the actual criminal group themselves, but rather being used as a middleman to launder stolen profits.”
The majority of ransoms are still paid in bitcoin, although some gangs request payment in privacy-focused virtual currencies, such as monero.
Because bitcoin has an open ledger of transactions called the blockchain, the flow of ransoms and illicit funds can be tracked, although it may not be easy to figure out the real names of those who control the funds (see: In Ransomware Battle, Bitcoin May Actually Be an Ally).
Binance says it’s been taking part in a multinational police investigation of the cybercrime gang known as Fancycat, which it says has been “distributing cyberattacks, operating a high-risk exchanger and laundering money from dark web operations and high-profile cyberattacks” that involve Clop as well as Petya ransomware.
The Petya ransomware appeared in 2016. It encrypted the master boot record of computers. It was followed in 2017 by a similar ransomware that was dubbed NotPetya. That malware affected shipping logistics giant Maersk and others (see: Ransomware Smackdown: NotPetya Not as Bad as WannaCry).
Rashmi Ramesh, senior subeditor, global news desk, contributed to this story.