Investigation of AML Instances Around Blockchain Technology for the First Half of 2022

We recently released the “2022 Mid-Year Blockchain Security and AML Analysis Report”. We’ll be breaking down this report into four section for the convenience of our readers.

This second article discusses how anti-money laundering is utilized in connection with blockchain technology, as well as the tools and methods used.

Cryptocurrency transactions are inherently anonymous and irrevocable. Because of this, in the case of common cryptocurrency scams, blockchain anti-money laundering is in a critical position and also serves as the final line of defense to prevent hackers from effectively exploiting it. In response to the omnipresent danger of hackers, many entities, including trading platforms/money management platforms/project contributors, regulators, and blockchain security businesses, have established anti-money laundering coalitions.

These organizations’ anti-money laundering dynamics in the first half of 2022 are as follows:

Platform for trading/money management/project contributors

  • Tether: In the first half of 2022, 132 ETH addresses were blacklisted and the USDT-ERC20 assets held on these addresses were frozen.
  • Circle: In the first half of 2022, 18 ETH addresses were blacklisted and the USDC-ERC20 assets held on these addresses were frozen.


  • The US Treasury Department sanctioned Ronin Network hacker (LAZARUS GROUP) associated addresses on April 14, and it sanctioned a bitcoin mixer, Blender, on May 6. It is worth mentioning that the US Treasury Department has never before authorized a bitcoin mixer.

Blockchain Security Company

  • Chainalysis: On March 10th, an on-chain database contract called SanctionsList was formed, banning a total of 31 addresses.
  • SlowMist: On April 27th, the MistTrack anti-money laundering monitoring system, which focuses on preventing cryptocurrency money laundering operations, was formally introduced.

As we all know, the major force of money laundering has always been hackers, darknet organizations, fraudsters, and Rug Pull projects that have constructed blockchain security breaches. The most infamous of them is the North Korean hacking outfit LAZARUS GROUP, which presents a significant danger to the Blockchain ecosystem.

According to open source intelligence and on-chain data analysis, The Lazarus Group’s dynamics in the first half of the year are as follows:

1. On January 17th, had unauthorized withdrawals made from a limited number of user accounts.

2. On February 8th, the IRA Financial Gemini escrow account was illegally withdrawn.

3. On March 23rd, the incident on the Ronin Network bridge became one of the most costly hacking events in crypto history.

We can find traces of the Lazarus Group in these security incidents through systematically monitoring their money laundering techniques.

  • Initial stage: Convert all stolen funds on the ETH network to ETH and transfer all ETH to Tornado Cash (in large quantities) or a trading platform (small amount).
  • Middle stage: Funds withdrawn from Tornado Cash were in batches and converted into renBTC tokens before being transferred over to the BTC blockchain.
  • Later stage: After withdrawing renBTC, the funds were pooled and transferred to Coinjoin, a mixer on the bitcoin blockchain.

Money laundering tools are obviously necessary in the process of money laundering by hackers, darknet organizations, fraudsters, and Rug Pull scammers. Tornado Cash is a common money laundering platform on the ETH and BSC chain. Coinjoin tools (ChipMixer, for example), coin mixers (Blender, CryptoMixer, for example), private wallets (Wasabi, Samourai, for example), currency exchange platforms (ChangeNOW, SimpleSwap, FixedFloat, for example), and certain trading platforms are all accessible on the bitcoin blockchain.

The following are deposits and withdrawal figures for various typical money laundering incidents in the first half of 2022:

(Tornado Cash Deposit/Withdrawal Chart for the First Half of the Year)

Tornado Cash: Users deposited a total of 955,277 ETH ~$2.442 billion to Tornado Cash in the first half of 2022. A total of 892,573 ETH ~$2.249 billion was withdrawn from Tornado Cash.

(ChipMixer Deposit/Withdrawal Chart for First Half of the Year)

ChipMixer: In 2022, 26,021.89 BTC was sent to ChipMixer, and 14,370.57 BTC were withdrawn from ChipMixer.

Blender: This coin mixer was used by Lazarus Group to launder funds stolen from the Ronin Network’s bridge. On May 6, the US Treasury Department sanctioned it, and now the website is no longer accessible.

Several key concerns arise throughout the anti-money laundering analysis process: where does the initial funding for the attack originate from? Where were the funds transferred to? We will now investigate these two questions based on these security incidents that happened in the first half of 2022.

Where does the initial funding for the attack originate from?

(Diagram for Initial Funding)

Tornado Cash accounts for the bulk of the initial funding for these security incidents. According to the diagram above, there have also been reports of withdrawals from exchanges, trading platforms, and personal wallets to fund these security incidents.

Where did the money that was laundered end up?

Based on our analysis of these security incidents, funds were laundered on the ETH or BTC blockchains. If the funds were not already on these two blockchains, hackers might consider moving them to these chains to continue the process.

The chart below was generated by analyzing the flow of ETH and BTC stolen during an incident.

  • ETH Money Laundering Flow Chart
(ETH Money Laundering Flow Chart)
(Platform Percentage of ETH Laundered)

According to the flow chart, Tornado Cash receives 74.7% of the funds laundered on the ETH blockchain, up to 300,160 ETH. 23.7% of funds currently remain on the hacker’s address, amounting to 95,570 ETH. 1.5% of the funds were sent to a trading platform, about 6,250 ETH.

  • BTC Money Laundering Flow Chart
(BTC Money Laundering Flow Chart)
(Platform Percentage of BTC Laundered)

According to the chart above, 49.1% of funds laundered went to ChipMixer, totalling 3,460 BTC. 36.6% of laundered funds are currently held at the hacker’s address, totalling 2,586 BTC. 6.2% of funds laundered were moved to Blender, with 3.8% of laundered funds moved to CryptoMixer and a small percentage to other unknown entities. 1.3% of laundered funds were moved to renBTC, 0.7% were moved to Wasabi Coinjoin, and 0.1% were moved to the Binance Exchange.

Basic Tools- MistTrack

(MistTrack — Example Diagram of Anti-Money Laundering Tracking System)

MistTrack was designed by SlowMist as a crypto analytics platform that combines a number of SaaS systems. It was specifically designed to target crypto money laundering activities. Our core functions include AML Risk Scores, Transaction Analysis, Asset Tracing, and Monitoring.

  • AML Risk Score

The AML risk score is a score assigned to an address owner by analyzing its historical transaction data against SlowMist’s database of malicious wallets. If an address belongs to a high-risk entity, such as a mixer, or if it received cash from it, it will be assigned a high risk score. Any confirmed addresses involved in illicit activities such as extortion, theft, phishing, and/or fraud are automatically marked as risky in SlowMist’s database.

  • Address Labels

The MistTrack database has accumulated over 200 million wallet addresses. These address include information based on the following 3 categories:

1. Entity addresses such as Coinbase, Binance, etc.

2. On-chain analytics on DeFi whales, MEV Bots, and ENS.

Off-chain data, such as imToken/MetaMask wallets users.

  • Investigations

MistTrack plays a crucial part in the analysis and evaluation of anti-money laundering through its analysis of transaction characteristics, on-chain activities, and capacity to monitor any wallet address.

Our investigation feature allows users to track and visualize the flow of crypto assets between wallets. Users can also monitor the movements of funds in real time. All information, on-chain and off-chain, are integrated into one panel to provide a complete analysis that can be turned over to law enforcement agencies as evidence.

(MistTrack — Example Diagram of Tracking Analysis)

Our database has over 1,000 entity addresses, 100,000 threat intelligence addresses, 90 million malicious activity addresses, and has tagged over 200 million addresses. This is to provide users with a comprehensive database for anti-money laundering research and analysis.

We can see from a number of incidents that stolen funds on the ETH/BSC chain have typically been transferred to mixers such as Tornado Cash, making it the platform of choice for scammers and hackers to launder their funds. While MistTrack is effective for conventional AML analysis, additional resources are required for more complex cases.

New laundering techniques necessitate the development of new analytical processes including the analysis of Tornado Cash transactions. Here we will discuss one of the methods we use for analyzing transfers out of Tornado Cash.

● First, we’ll make a note of what information we know currently, such as the total number of transfers, the time of the initial deposit, and the block height of the first deposit.

● Then, we fill in the parameters in the Dune dashboard we’ve prepared.

● We’ll obtain preliminary withdrawal data and then further filter the results using the feature classification method.

Following a screening, the addresses that’s most likely to be associated with the scammer will be provided and the result set with the highest probability is selected and verified.

(Dune Dashboard — Tornado Cash Withdrawal Analysis)

Through this technique, we were able to correctly identify the withdrawal address of stolen funds from numerous incidents such as the Ronin network exploiter.

Evidently, this strategy has some limitations:

A parameter is the amount of funds sent to Tornado Cash. The amount of anonymity set decreases as the amount of funding increases. The opposite is true when lesser funds are sent. As a result, it is more challenging to analyze small sums sent to tornado cash.

On the Bitcoin network, ChipMixer and Blender are platforms frequently utilized for laundering by malicious actors. Blender is currently sanctioned by the United States Treasury; hence, the website is no longer accessible and will not be addressed further.

Due to the substantial influx of funds via ChipMixer, we have also proposed a method for analyzing their transactions.

  • We identify ChipMixer’s withdrawal characteristics.
  • We then scan and filter the structured block data for the relevant time period based on the aforementioned withdrawal characteristics. Then we collect ChipMixer’s withdrawal records within this time frame.
  • We categorize the withdrawal data and verify the results with the highest probability.

Anti-money laundering is still the top priority of the development of blockchain, in the face of endless hacking incidents, in view of its unique characteristics, the corresponding anti-money laundering norms also need specific problems, specific analysis, and specific responses. The typical security incidents mentioned in this article are detailed in the full report.

Download the full report: first-half-of-the-2022-report(EN).pdf



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.