AK-47s To The Moon – The True Scale of Crypto Crime


2020 was a record high for hidden, unreported crypto crime.  

80% of crypto-related fraud and black hat hacking cases are not reported to law enforcement in the year that they occur and as many as 50% of claims never are. There is no global governmental repository of crypto crime that can combine information from local law enforcement agencies, legal offices and private sector forensic financial investigators.  

But Coinfirm is in a unique position to know more, having built the world’s largest map of crypto crime with live tracing of fraudulent funds.  

This is thanks to deploying advanced funds’ tracing methodologies and services which enable victims and witnesses of crypto crime to report cases and seek justice. During the trial period, these services cumulatively received 5,000+ valid claims, many of which are now the subject of investigations by the company and our partners. 

The total value of assets under claim with these services is over 5 billion USD – growing along with new cases and the overall increase of crypto assets’ prices during the current bull run. More than 7 billion USD worth of crypto assets are annually misappropriated due to hacks, scams, ransomware, extortion, and unreliable enterprises.  

Furthermore, between 1 to 2 billion USD annually relates to crypto-related illicit activities other than asset misappropriation, such as; terrorism financing, sanctions breaches, the darknet drugs trade, PEP-related corruption, human trafficking and slavery, etc.

True Scale of Crypto Crime

Analysis shows that total crypto crime in 2020 amounted to just under 10.5 billion USD.  

The True Scale of Crypto Crime in 2020 – Fig 1

That’s enough money to buy 70,726,934 AK-47s – at a cost of 148 USD per locally produced model in Pakistan – which stacked end-to-end, could circumnavigate the Earth’s equator 1.6 times. 

Around the Earth with AK-47s and Crypto Crime – Fig 2

But this amount pales in comparison to total traditional financial crime. 

Central bankers continue to take a negative view of Bitcoin and crypto assets, with the president of the ECB Christine Lagarde stating last month that BTC is used for “reprehensible money laundering”. However, crime in fiat is a far bigger problem – as last year’s FinCEN Files so vividly laid bare – with the annual cost of money laundering and associated crimes being 1.4 ~ 3.5 trillion USD according to EY. 

To the Moon with Fiat Crime – Fig. 3

By using just the lower band of 1.4 trillion USD of financial crime in the traditional markets, those funds could buy enough AK-47s stacked end-to-end that could make 21 trips to the Moon

9.5 billion AKs, or forty-seven and a half of the world’s estimated supply of the gun, is a lot of well-armed terrorists.

What the Law Misses in Crypto Crime

Despite most of the ‘billion dollars crypto frauds’ found in 2019 and earlier, 2020 brought a significantly larger volume of smaller cases.

An example of hidden crypto fraud is the infamous vanity address generator scams that were especially popular amongst cybercriminals between the period 2014-2017, when in fact, the actual theft occurred only in 2020. In one case, 4000 BTC (185 million USD) of funds was traced to a single Singaporean-based exchange. Most of the victims are not yet even aware that their funds are missing from their wallets. 

Fraud and scams are a particular problem that needs to be tackled as this accounted for 67.8% of crypto crime from 2020’s total.

2020’s Crypto Crime Breakdown – Fig. 4

Despite the seeming crackdown in crypto crime – in July of 2020 more than a hundred people in China were arrested in connection with the PlusToken crypto scam, in October of 2020 the owner of the Helix and Coin Ninja Bitcoin money laundering ‘tumblers’ was arrested in the US and in January of this year 30 individuals were charged in Japan for knowingly trading with 96 of the 560 million USD taken in the 2018 Coincheck hack – according to in-house estimates, 90%+ of criminal activity cases related to crypto-assets remain unsolved. 


Law enforcement and governments still do not have the necessary tools to thwart even something as simple as maintaining an up-to-date sanctions list. Analysis by Coinfirm has found addresses associated with terrorism financiers and weapons proliferation actors holding up to 1 billion USD in crypto assets that had been missed by authorities on the OFAC list and others. 

In addition to a lack of proficient tools, many jurisdictions do not yet have reporting requirements. For instance, it is only in the EU’s 6th AMLD that cybercrime is listed as a predicate offense – and thus a reporting requisite for firms suffering the consequences – however, this directive is not law in any member state as of the date of this post.   

Crypto Crime ‘17 – ‘20

The graph below presents the breakdown by number and value of criminal activities between; scams, terrorism financing, sanctions breaches, ransomware, hacks, blackmail and darknet markets/drug trafficking during the period 2017 – 2020.

Crypto Crime period 2017 to 2020 – Fig. 5

In the chart above, what is remarkable is the jump from 2018 to 2019 of crypto fraud. This is an outlier period due to the PlusToken crypto Ponzi scheme – one of the largest crypto frauds so far discovered – which scammed $2.9 billion from over 2.6 million unsuspecting victims in China and South Korea, through thousands of ‘investor levels’ (i.e. multi-level marketing, a common method to draw in more victims in pyramid schemes). 

The value of crypto assets misappropriated due to frauds and scams per year more than doubled from 3.65 billion USD to 7 billion USD comparing 2017 over 2020. On average, of the years analyzed, crypto crime in the form of fraud comprises 77.6% of the total.

Whilst scams have not been a systemic risk to the crypto industry as hacks, the value of misappropriated assets from scams is significantly higher than that of hacks, at a multiple of 7 in 2020 (hacks comprised only 9.6% of the total from last year – Fig. 4). 

Darknet Markets, Hacks, Sanctions, Scams – Fig. 6

In the visual above, the notable – almost vertical – increase of hack-related illicit activities is more clear, rising 944% from 98.5 million USD to over 1 billion USD between 2019 to 2020 – primarily due to the government-mandated lockdowns where victims were more often online, which criminals exploited. 

From 2019 to 2020, darknet markets experienced a 21.8% increase in fund flows, from 1.57 billion USD to 1.92 billion USD. During the same period, sanctions breaches continued to increase at a high rate of 45.5%, from 281 million USD to 409 million USD.

Although sanctions breaches made up just 3.9% of 2020’s total (see Fig 4.), when looking at this risk segment against others in Fig. 6, the rate of increase was more steady. This threat, alongside PEPs (Politically Exposed Persons) and SDNs (Specially Designated Nationals) are unlikely to abate as the sanctions and counter-sanctions by various trade wars raging around the globe continue.

The average increase in total crypto crime between the years analyzed above is 34.92%. If this rate remains steady, projections show that 2021 could see an annual value of 14.1 billion USD, 2025 at 46.5 billion USD and 2030 coming in at a total cost of a staggering 207.8 billion USD (of which crypto fraud would comprise 161.2 billion USD). 

Crypto Crime: Common Fraud Schemes

Fraud comes in all shapes and sizes and this holds true of the crypto-asset industry. Because fraud and scams in crypto accounted for most cases, it is worth a further look at this type of illicit activity. Here we identify 15 major schemes in crypto markets perpetrated by fraudsters. 

  • Fake ICOs: Fake Initial Coin Offerings (ICO) can be used by scammers to lure in unsuspecting victims in the promise of quick profits. ICOs can be completely fabricated, with false bios of ‘ghost’ team members and technical whitepapers mirror images of other mainstream crypto assets. 
  • Fake Exchanges: This scam can take the form of a seemingly legitimate exchange or fake darknet marketplaces (DNM) that are a mirror image of another exchange or DNM which rather than exchange goods or services for money, just steal customers’ cash.  
  • Fake Applications/Wallets: Along with false ICOs and exchanges, fake wallet providers are also rife on app stores. 
  • Investment Scams: Investment scams differ from Ponzis as they do not pay out periodically to ‘investors’ but a victim tends to be made aware after they request a withdrawal and are stonewalled. Classic cases of this kind of fraud in crypto are the cloud mining scam – as both cloud computing and cryptocurrency mining are complex fields and thus easy to pull the wool over victims’ eyes who are not acquainted with either technology. 
  • Market Manipulation: Scammers manipulate crypto-asset markets where spot and related derivatives are transacted. Market manipulation encompasses spoofing (large volume of bid/call orders quickly canceled), front-running (trading in the direction of large bid/call orders before they are executed), churning (excessive trading of clients’ accounts in the effort to generate fees), amongst other schemes. 
  • Pump & Dump: Crypto markets are also prone to the classic market manipulation of pump and dumps (P&D). Owners of lesser-known and capitalized crypto-asset attempt to drive the price up before selling off their holdings at an artificial peak. Misleading claims hype demand, enabling the originators of the scheme to earn large profits. This type of manipulation is endemic in crypto as there are so few P&D regulations. 
  • Ponzi Schemes: Stories of get-rich-quick in crypto entices individuals into Ponzi schemes, where more funds are required to pay fake returns to the early adopters. Sometimes, a ‘fund’ manager can start off operating a fund with real returns but switches to a Ponzi structure as either greed takes over or they are making up for large losses. PlusToken was one such example. 
  • Exit Scams: When the holder of the private keys cleans out the custodian/escrow addresses and does an old-fashioned runner. Most notably seen in darknet markets (DNMs), such as Empire Market in August of 2020. 
  • Sim-Swapping: Many financial applications employ Two-Factor Authorization (2FA) for enhanced security measures. In sim-swapping, criminals reroute 2FA codes sent via mobile text or calls to devices they control. To do so, they must fraudulently claim to the mobile service provider that the device is lost, or the service is being changed. 
  • Crypto Jacking: When malicious hackers gain control of a victim’s computer to hijack their CPU power to mine cryptocurrency. This scams the victim of energy bills and if used prolifically in a network can lead to false market dynamics. 
  • Crypto Malware: Viruses that target crypto users seek out accounts to drain user’s funds and/or replace the victims’ authentic addresses with those of the fraudsters. 
  • Vanity Address Scam Generators: Cryptocurrency addresses can be customized using address generators. However, the providers of these services can leave a backdoor into unsuspecting users’ addresses and with a single click simultaneously rob them or practice ‘Salami Slicing’ (stealing small amount of funds over a long period of time).  
  • Phishing: Scammers obtaining account details such as usernames and passwords to fraudulently access their victims’ accounts via social engineering. 
  • Honeypot Smart Contracts: In private groups on Telegram for instance, scammers have been known to leave the private keys to addresses ‘accidentally’ or display traps for wannabe hackers but a smart contract trips them up. 
  • Trust Trading: A type of scam where an entity claims that “We’re doing a giveaway, send us 0.1 BTC and we’ll send you 1 BTC back.” Alongside the greed element, victims are lured in by scammers posing as well-known individuals. 

Coinfirm’s Crypto Crime Investigatory Methodology  

Many blockchain analytics use only one tracing method, often treating all consecutive transactions as dirty or tainted funds (the so-called ‘Poison’method) or do not apply forensic accounting methods at all.*. Coinfirm’s investigation methodology applies multiple different tracing methods – by this validating the credibility of the funds tracing evidence. This includes methods widely adopted in bankruptcy law, such as first-in, first-out (FIFO), last-in, first-out (LIFO), pro-rata distribution (Proportional Distribution), lower intermediate balance rule (LIBR), but also a set of proprietary methods enhanced for the specifics of blockchain. The reported findings are defensible if they are supported by the results of multiple different forensic accounting methods.

Courts overseeing crypto crime cases tend to have different preferences when it comes to tracing methodologies. However, well-prepared, verifiable evidence of tracing analysis and impartial interpretation, such as multiple methods presenting similar findings, play a key role when it comes to court decisions. 

*The drawback of the Poison method is that the amount of evaluated tainted funds at its destination can be several times higher than the actual misappropriated amount and does not distinguish between misappropriated and other funds. These constraints of the Poison method mean it could be easily undermined by a skilled attorney and creates the risk of wasting years of investigation and related costs if the grounds for the case were set by tracing methods with gaps of hard evidence.

Whether traced funds are received by a VASP-controlled wallet or not has an impact on our tracing analysis. Tracing of claimant’s misappropriated cryptocurrency continues until either those funds are received by a VASP-controlled wallet, or the funds are received by a wallet that still currently holds those funds (i.e. there has been no further onward dissipation of the funds). 

Most VASPs operate ‘pooling addresses’ used to store customer deposits and to execute transfers. When a user of the VASP wishes to transfer cryptocurrency from their exchange account, often the exchange will use cryptocurrency held in one of its pooling addresses to settle the transaction, rather than transfer cryptocurrency held in a wallet that only includes that specific user’s cryptocurrency. In these cases, the records matching user account transactions to the movements on the blockchain showing which addresses have been used to settle the transaction are kept only by the exchange. These internal records are not publicly available. The tracing of the Claimant’s cryptocurrency must, therefore, stop once those funds are received by a wallet controlled by an exchange as we do not know which user account transactions relate to transfers from these wallets. 

Coinfirm’s Proprietary Data Sources of Crypto Crime

Achieving synergy between AML/KYC, fraud investigations and data ecosystems takes the security of blockchain and crypto financial markets to a level never before seen in traditional finance.  

The key distinguishments from AML/KYC in the traditional financial sector and the crypto asset industry is a far more extensive use of technology – operating on complete datasets of transactions (public ledgers) and embracing forensic data and funds tracing methods directly into AML transaction monitoring. This has enabled Coinfirm to create a ‘three-pillar’ ecosystem, consisting of: 

1.  Anti-Money Laundering – a technological platform allowing VASPs and regulators to verify the risk of blockchain addresses, wallets, transactions and counterparties – across over 1500 public and private blockchains and assets – with 270+ high-tech risk detection algorithms, in order to meet all the regulatory obligations in various jurisdictions. 

2.  Fraud Investigations – end-to-end investigation and asset recovery services, including a technological breakthrough solution allowing to track all funds reported as lost in real-time, with use of multiple tracing methods for best evidence. 

3.  Data Ecosystem – the network and infrastructure of data collection and data reporting, incentivizing market players to report suspicious activities and allowing victims of crypto fraud from all around the world to report and claim lost funds; by this Coinfirm has created the world’s largest database of actively monitored blockchain entities and events – enabling fast reactions to crypto crime cases. 

These platforms and solutions also allow the firm’s partners to also take an active role in combatting crypto crime.

To give an example, funds moving from sanctioned or hacked wallets are tracked automatically through hundreds of ‘layering’ transactions and immediate alerts are given to cooperating VASPs to freeze funds once funds reach accounts under their purview. Additionally, other wallets belonging to a sanctioned entity or a hacker are automatically identified and traced. Coinfirm works on the actual element of crypto crime-related data – not only behavioral or statistical patterns – and uses multiple fund tracing methodologies (both deterministic and AI-based) to provide actual evidence of a crime when it comes to SAR (Suspicious Activity Report) filing and litigation.