Coin Swapping: Money Laundering Tactics on Crypto Exchanges
Prachi Pandey
The rise of decentralized finance (DeFi) has revolutionized how we interact with cryptocurrencies. However, alongside innovation comes the challenge of mitigating illicit activity. Coin swapping, a core function within DeFi, has emerged as a tool for money laundering, raising concerns about the potential misuse of these platforms. In this blog we’ll review how coin swapping on decentralized exchanges (or DEXs) works and why criminals exploit them to launder stolen funds. We'll also explore real-world examples of hacks where coin swapping played a major role in laundering stolen crypto across blockchains.
Key Components of Swap Protocols
Unlike their centralized counterparts, swap protocols don't rely on order books to match buy and sell orders. Instead, they leverage smart contracts and liquidity pools to facilitate seamless asset exchanges. Here's a breakdown of the key components of swap protocols:
- Smart Contracts: Smart contracts are self-governing programs deployed on a blockchain that dictate the rules and conditions of a transaction. In coin swapping protocols, smart contracts define the logic for exchanging tokens based on pre-defined algorithms.
- Liquidity Pools: Liquidity pools are decentralized reservoirs of crypto assets deposited by users. These pools facilitate efficient swaps by having readily available assets to fulfill exchange requests. Users can contribute to liquidity pools and earn rewards based on the trading volume generated by the pool.
- Automated Market Makers (AMMs): AMMs are algorithms embedded within smart contracts that automate the process of determining exchange rates for token swaps.
How Coin Swaps Work: Step-by-Step
Now that we've explored the building blocks, let's understand the technical flow of a coin swap on a DEX:
- Initiating the Swap: A user submits a swap request to the DEX, specifying the desired token, the amount to be exchanged, and the maximum acceptable slippage (the difference between the expected and actual exchange rate due to pool dynamics).
- Smart Contract Interaction: The user's wallet interacts with the DEX's smart contract, triggering a function that initiates the swap process.
- Determining the Exchange Rate: The AMM algorithm within the smart contract calculates the exchange rate based on the current pool reserves.
- Liquidity Pool Deduction and Payment: The smart contract deducts the desired amount of the outgoing token from the corresponding liquidity pool reserve. Simultaneously, it adds the equivalent value of the incoming token (based on the calculated exchange rate) to the other reserve in the pool.
- Transaction Finalization: The smart contract transfers the newly acquired tokens to the user's wallet, completing the swap transaction.
This trustless and permissionless process facilitates token swaps without a central authority matching buy and sell orders.
In simple terms, coin swapping on a DEX means exchanging one type of cryptocurrency for another using automated systems and smart contracts, without needing a middleman.
However, the very features that make coin swapping attractive also create vulnerabilities for money laundering activities. Criminals thereby exploit coin swapping protocols to launder illicit funds through a multi-stage process.
Why Criminals Find DEXs Appealing for Laundering Money
Decentralized exchanges (DEXs) have become a hotbed for illicit activity due to several factors that make them attractive to money launderers:
- Bypassing Compliance: Unlike centralized crypto exchanges with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations, DEXs lack a central authority. This allows criminals to bypass these controls and avoid scrutiny.
- Lack of Oversight: DEXs operate with limited user oversight. There's no central administrator monitoring accounts, records, identities, or transactions, making it easier for criminals to hide their activities.
- Crypto-to-Crypto Swaps: DEXs facilitate seamless swaps between different cryptocurrencies. Criminals exploit this feature to layer stolen funds, essentially through chain hopping, obfuscating the origin of the money by converting it through multiple DEX transactions across different tokens.
How Criminals Exploit DEXs for Chain Hopping
To illustrate the process of chain hopping, consider this scenario involving stolen crypto and DEXs:
- Initial Infiltration: Malicious actors successfully execute an attack against a platform, acquiring a significant amount of Bitcoin (BTC).
- Initial DEX Swap: To break the initial link between the stolen funds and the attack, the criminals utilize a DEX to convert a portion of the BTC into Ethereum (ETH).
- Chain Hopping via Multiple DEXs: The criminals engage in a series of swaps across various DEXs operating on different blockchains, including Ethereum (ETH), Binance Smart Chain (BSC), and Avalanche (AVAX). Each swap involves converting the funds into a different token, adding layers of anonymity. Smaller liquidity pools are often targeted due to their susceptibility to manipulation, further obfuscating the trail.
- Potential Cash Out: The final stage involves potentially converting a portion of the laundered funds back into a major cryptocurrency or even fiat currency. This typically occurs through a centralized exchange with looser KYC/AML regulations, posing a higher risk of detection.
Case Study: Arcadia Finance Exploit and Potential Money Laundering via Coin Swapping (July 10, 2023)
This case study examines the security exploit that occurred on July 10, 2023, at Arcadia Finance, a non-custodial DeFi protocol. We will analyze the incident, focusing on the potential use of coin swapping for money laundering purposes.
The Exploit:
-
On July 10, 2023, an exploiter targeted a vulnerability in Arcadia Finance's code, resulting in the theft of approximately $455,000 worth of USDC and USDT stablecoins.
-
The attackers converted approximately 75% of the stolen funds (around 190 ETH) into another cryptocurrency.
-
A significant portion (179 ETH) of the converted funds was sent to Tornado Cash on the same day. Additionally, another 65 ETH was sent to Tornado Cash two days later.
The LastPass Breach (October 25, 2023)
The LastPass security breach exposed a major vulnerability in a popular password manager, leading to a cyber heist targeting cryptocurrency assets. The attackers, after compromising user accounts, stole a significant amount of crypto – approximately $4.4 million – across various blockchain networks like Bitcoin, Ethereum, and several DeFi ecosystems.
Here's how coin swapping played a critical role in potentially laundering the stolen funds:
- Uniswap Used for Conversion: A portion of the stolen assets, specifically 552,627.36 units of the Polygon (POLY) token, were swapped for 334.8271 ETH through Uniswap, a decentralized exchange (DEX). This swap effectively converted the stolen POLY tokens into a more widely used cryptocurrency (ETH) that could be more easily moved and potentially laundered further.
- Exchange Swaps and Movement: In another instance, the attackers transferred 386.18 ETH, 35,315 MATIC (Polygon's native token), and 262.69 BSC (Binance Smart Chain's token) to a centralized exchange. These assets were then swapped for a significant amount of Bitcoin (30.07 BTC), further obscuring the origin of the stolen funds.
- THORChain for Anonymity: The attackers also leveraged THORChain, a decentralized cross-chain liquidity protocol. They sent 816.5 ETH to THORChain and swapped it for 56.45 BTC. THORChain's functionality allows for anonymous token swaps, adding another layer of complexity for investigators trying to track the stolen funds.
The case studies of the Arcadia Finance exploit and the LastPass breach showcases a concerning trend: the misuse of DEXs and coin swapping functionalities for potential money laundering activities. As these cases illustrate, attackers leverage coin swaps to:
- Break the Direct Link: By converting stolen assets like stablecoins into different cryptocurrencies, attackers disrupt the initial connection to the source of the funds, making tracing more challenging.
- Increase Anonymity: Swapping to less traceable cryptocurrencies or utilizing anonymizing services like Tornado Cash (Arcadia Finance) can further obfuscate the origin and destination of stolen funds.
- Layer Transactions: As seen in the LastPass breach, attackers can conduct multiple swaps across various platforms (DEXs, centralized exchanges, cross-chain protocols) to create a complex web of transactions, hindering investigative efforts.
These cases highlight the double-edged sword nature of coin swaps. While coin swapping offers legitimate users a convenient way to exchange cryptocurrencies, it also presents vulnerabilities that can be exploited for illicit purposes.
How can Merkle Science help?
Our advanced blockchain forensics tool Tracker provides optimal capabilities for analyzing DeFi and smart contract transactions. It boasts a watchlist feature that promptly alerts users to any inbound or outbound fund transfers from the attacker's address. Additionally, Tracker's multichain functionality allows investigators to visualize transfers on multiple blockchains in one place, making tracing the funds across complex DeFi ecosystems significantly easier. Our system encompasses over 22 distinct blockchains and additional L2 chains, facilitating comprehensive fund flow analysis for investigators.
For more information, visit our Tracker page to request a demo or contact us at investigations@merklescience.com.