Coinfirm Analyses Top Hydra Darknet Market Fund Flows

The following is taken from the Crypto Compliance: Unique Cases and State of Regulatory Landscape in 2022 guide.

Coinfirm was founded in 2016 with the mission to make the blockchain economy a safer space and to prove that the technology promises an improvement to the traditional financial system. For instance, some material benefits due to the open-source nature of blockchain means that is it generally easier, cheaper and faster to ascertain illicit fund flows.

However, those benefits also mean the law-abiding, overwhelming majority of the crypto community, are continuously in an effective arms race against the immoral minority to counter their innovations in blockchain to make committing and profiting from crimes easier, cheaper and faster.

Until RegTechs invent solutions to combat those inventions, and the cycle repeats once more. Below, we showcase insights into that work.

Regulatory Landscape and Law Enforcement Action Against Darknet Markets

Criminals seeking anonymity flock to darknet markets (DNMs) to trade all manner of illicit goods and services. DNMs are an intrinsic part of the ecosystem of bad actors utilising crypto-assets, and although they are a small proportion of those using crypto (just 1.2% of BTC wallets are associated with DNMs, according to Coinfirm’s analysis from October ‘20), the cost to society is significant.

DNMs regularly get taken down by law enforcement or by their creators themselves in ‘exit scams’. Some have had longevity however, especially in jurisdictions that seem to have turned a blind eye. This includes the infamous Russian language-only Hydra market, which accounts for ~75% of global DNM sales.

There are strict laws against accessing websites on the dark web with ill intent and hosting websites relating to illegal activity, but not for just visiting DNMs. Depending on the type of illegal activity – such as viewing child pornography or the purchase of narcotics – different punishments apply between jurisdictions.

Regulators and FIUs focus on tackling the root cause of and channels of serious financial crimes – such as terrorism financing, money laundering and proliferation financing – to keep the rest of society safe.

Regulations apply to business sectors, and their participants, in the form of legitimate businesses, must abide by certain rules in order to prevent funds from illegitimate sources (e.g. darknet markets) to be integrated into the financial system.

Therefore, whilst laws do not make it illegal to access DNMs, funds coming from DNMs are seen as exceedingly high risk.

VASPs may be accepting illicit funds stemming from DNM activities unknowingly, especially when in the layering process mixers are used. VASPs accepting funds directly or indirectly transferred from darknet markets face a wide range of risks – ranging from money laundering or sanctions non-compliance, through legal and reputational risks, especially in the light of the type of illicit activities proceeds of which have been identified to go through these markets. The potential of blockchain analytics in controls for darknet market related risks has been recognized by a number of Coinfirm’s clients as well as the regulators. For example, the UK JMLSG Guidance Notes states that “Firms should consider undertaking their own analysis of the blockchain, seeking to assess any nexus to sources of risk, including the darknet and blacklisted addresses, and they should consider using the services of a specialist blockchain analysis provider, particularly where the risk is significant or the volume of transactions is substantial.”

Take for instance the case of Larry Harmon, the owner of the mixer Helix, where he was charged with money laundering by the US’ DoJ. Harmon owned a darkweb search engine as well as the mixer, advertising the mixer on the darkweb, thus conspiring with vendors to launder their funds, for a fee.

Coinfirm’s AML Platform has risk indicators categorised under mixers and tumblers that inform of transactions an address is making or receiving from them. In the next section we deploy those and many more to analyse the infamous Hydra.

Blockchain AML Analytics Deployed on Hydra DNM Flows

Coinfirm analysed Hydra fund flows to VASPs and found that many large crypto exchanges are still receiving funds from the dark web entity.

As the crypto-asset market has matured, it has become imperative for businesses operating in the space to be in regulatory compliance with each jurisdiction’s stringent regulations. Coinfirm’s advanced AML/CFT and crypto crime investigatory tools provide an avenue by which organisations operating in the space can comply whilst minimising the
impact on their bottom line.

One of these tools is C-Live*, Coinfirm’s flagship illicit crypto live-tracking solution, that Coinfirm’s Investigations Department used to analyse Hydra’s fund flows.

In total, Coinfirm identified ~5.8 million BTC addresses of the Hydra Market. Hydra operates under the escrow system, so there is no central ‘hot wallet’, but each ‘vendor’ operates a separate payment system using their own addresses.

“Blockchain transactions are pseudonymous. With a proper tool, like C-Live, coins can be flagged as ‘risky’, and these coins can be traced automatically and in real-time, which enables freezing the funds once deposited to the cryptocurrency service. It doesn’t matter whether the perpetrator used ten or ten thousand transactions to dissipate the funds in an attempt to lose the trace. This is the huge advantage of the blockchain knowledge-based approach vs. the traditional finance a ‘maybe’ risk-based approach.” – Roman Bieda, Head of Fraud Investigations at Coinfirm

Coinfirm tracked the top 10 addresses – based on their BTC turnover, following the Pareto rule – operating on the Hydra DNM, sufficient to get meaningful findings.

In this manner, Coinfirm traced BTC to all wallets from those 10, starting with all 17,144 outgoing transfers. These amounted to 153,441 BTC, 16% of the Hydra’s total turnover or USD 1,272,028,214 (exchange rate of the transactions from the day of each transaction).

Identified were 1,007 addresses attributed to 42 VASPs that had received 28,584 BTC originating from the top 10 addresses of Hydra. Many of the identified addresses are likely to be nested services (e.g. over-the counter brokers).

Below is a visual example of tracking – using the five forensic accounting methods noted below – from one of the addresses.

* C-Live applies 5 different tracing methodologies – First In First Out, Last In First Out, Pro Rata Distribution by Blocks, Pro Rata Distribution by All Outputs, and Taint Last – to ensure accuracy of results for use in a court of law. C-live is the only algorithm that provides Destination and Source of Funds evidence fully automatically, in real-time, both in tabular and visual form, and enabling tracking through the CoinJoin transactions. Results were confirmed with all five tracing methods applied and can be proven despite mixers or complex layering schemes (BTC dissipation on ‘000s of addresses). Included are only addresses that received more than 5 BTC from the top 10 addresses of Hydra. Omitted were those that received less due to data volume.

Looking to deploy C-Live to trace illicit funds across the blockchain and present the evidence in a court of law?

Blockchain Investigations for Crypto Assets