In recent years, the use of ransomware for extortion has become a security issue of serious concern. One of the recent victims was JBS USA, the world’s largest meat producer. The Russia-linked ransomware group, REvil, was responsible for the attack that caused JBS to forced to shut down some of its food production sites on May 31st, with thousands of employees affected.
Using analysis of blockchain transactions, Coinfirm has identified the REvil bitcoin wallet that received the 301 BTC ransom payment (the equivalent of $11 million at the time of the transaction) made by JBS on June 1. Our analysis shows that the wallet was used for the first time and that the payment was received from a Gemini account.
Gemini is a cryptocurrency exchange based in the U.S. It is worth mentioning that most of the output transactions from recent ransomware attacks on companies based in the US have been made via Gemini (including the ransom paid by the Colonial Pipeline that suffered an attack from the DarkSide group).
The REvil wallet was clustered (proof of the same ownership) by the Coinfirm algorithm with a second address, which also received funds from Gemini. This was most likely a different ransom transaction from a different entity. We can see connection of the second REvil ransom address with the Hydra Market (the largest darknet marketplace in the world, serving only Russian speakers) within the fifth hops. This connection is presented below (right part of the visualization).
Defrauded cryptocurrency funds are typically passed through complex layering/mixing schemes aimed at concealing the trail of funds. One method is using blockchain transaction mixers (also referred to as ‘tumblers’/’anonymizers’), which are services that attempt to confuse the trail of blockchain transactions. In most cases funds are divided into smaller portions and are subsequently mixed at random with similarly sized portions of funds or ‘pooled’ with other users’ funds. As a result, the perpetrator receives their funds back with a significantly lower ‘taint’ ratio (low traceability to the perpetrator’s initial blockchain addresses).
3 minutes after receiving the JBS ransom, REvil hackers sent the full amount of 301 BTC further on. Initial examination of the following transactions shows that the funds were dissipated in order to lose the path of subsequent transitions. The funds are fragmented into roughly equal parts and there are also CoinJoin transactions used. The left part of the graphic below presents the part of the mixing process of funds originating from a ransomware attack on JBS.
Formerly believed to be untraceable, now Bitcoin can be tracked automatically and it can be tracked live thanks to a new Coinfirm service called C-Live.
Many blockchain analytics treat all consecutive transactions as dirty or tainted funds using ‘click-through graph tools’ (the so-called ‘Poison’ method). The poison method is not considered a forensic accounting method by many witness experts as it does not follow the rules of professional accounting and neglects the chronology of transactions. It does not distinguish between illicit and clean funds. There are therefore several problems with the tracing tools available on the market that make the REvil ransom case hard to resolve:
All of the above issues are now resolved by the cutting-edge tracking solution developed at Coinfirm (more information about the service can be found here):
We provided the C-Live algorithm with the initial ransom transaction of the 301 BTC and we can now trace any movement of the fraudulent funds in real-time. The list of consecutive transactions is automatically created and, once the funds reach the identified owner, the instant notification with the list of deposit transactions can be sent.
The below screen presents the live blockchain data of the actual ransom BTC location (on the day of writing this article). The funds are dissipated into 221 addresses. For example, 209 BTC is still held on the wallet belonging to hackers, and any movements of those funds will trigger further tracking. We can also see, that on June 13, 17:28 (UTC) address 1HF* belonging to the B* exchange received 1.57 BTC originating from the ransom – the instant notification to the exchange may result in freezing any assets belonging to the account holder.
Data can be also seen in graphical form.