Original version in Spanish published in El País on 10 June 2025 [https://elpais.com/tecnologia/2025-06-10/en-el-laberinto-del-blanqueo-del-dinero-del-cibercrimen.html] by the journalist Pablo G. Bejerano [https://elpais.com/autor/pablo-garcia-bejerano/]
When an attacker extorts a victim with ransomware and obtains payment in bitcoins, the transaction is recorded. However, the receiving blockchain wallet will be flagged. It contains dirty money; which cybercriminals will attempt to launder in multiple ways. This is the final stage in obtaining real profit from scams, online theft, and other cyberattacks.
The laundering of money from cybercrime involves a complex network of money transfers. It is a maze of cryptocurrency transactions and conversions between cryptocurrencies and legal tender. So, investigators tracking these funds have their work cut out for them. ‘Ultimately, this activity has generated an underground economy, but one that is global, incredibly large and complex,’ says Raúl Orduna, head of Digital Security at the Basque technology centre Vicomtech. ‘Once someone has carried out a cyberattack, the key is how they gain access to the money obtained.’
In 2023, the laundering of illicit funds linked to cryptocurrencies is estimated to have reached around $22.2 billion, according to calculations in the 2024 Crypto Crime Report, produced by Chainalysis, a company known for investigating threats to blockchain networks. Over the past year, the same entity notes that the total value transferred to illicit blockchain addresses, a kind of current account for storing cryptocurrencies, would be $40.9 billion, although it is estimated that it could reach $51.3 billion.
Cybercriminals aim to convert this large volume of funds from illegal sources into clean money.‘Typically, the attackers receive the money in Bitcoin or other cryptocurrencies and then try to access it without revealing their identities. They try to use different mechanisms, such as exchanges or mixers, to launder the money. In this process, the money is moved to different blockchain addresses, and then some of it sometimes returns to the real economy,’ says George Smaragdakis, professor of cybersecurity at Delft University of Technology (Netherlands).
To untangle this jumble, we need to clarify several terms and how they relate to each other. At a deeper level, this is what both Smaragdakis and Raúl Orduna are trying to do. Both are collaborating on Project SafeHorizon, a European initiative involving companies, public and private research centres, and police forces from different countries. Its purpose is to improve the EU’s preparedness for cyber threats, and part of this involves understanding how cybercriminals actually make money.
In the world of cryptocurrencies, which is key to understanding how money laundering works, a wallet allows users to have multiple blockchain addresses where they can receive or send funds. ‘Transactions on the blockchain are anonymous, but access to them is open. So, we can analyse money flows and detect money laundering patterns even if we don’t know who they belong to,’ Orduna points out. Researchers look for signs that indicate where services equivalent to those offered by banks are being provided, but in the crypto sector and under anonymity.
They focus mainly on certain blockchain network systems, such as escrow or mixers. The former consists of a smart contract that allows money transferred by one party to be held back. The blockchain stores it as a deposit until the conditions of the contract are met. It is then automatically delivered to the recipient. Mixers were developed to increase the anonymity of transactions, and some cybercriminals may use them. ‘A mixer prevents you from tracing the sources of that money, triggering exchanges between different cryptocurrencies to lose track of who is paying whom,’ explains Orduna.
‘You may find the source of the money, because it is probably the victim, or someone representing the victim,’ says Smaragdakis. But he adds that after many transfers, the trail is lost. ‘Let’s say you have thousands or hundreds of bank accounts. If they discover something strange in one of them, they close it, but you still have all the others. It’s not easy to open many bank accounts, but it’s easy to open many blockchain addresses.’
With this technical infrastructure, cybercriminals try to sow confusion. ‘Before, they had one blockchain address where they collected money from many victims. But now the trend has changed, and they have one address for each victim’s money. Sometimes, many blockchain addresses are used for a single victim,’ explains the professor at Delft University of Technology.
Thus, cybercriminals do not have the equivalent of half a million dollars in one blockchain address, but rather many addresses with a balance of $100, for example. This is much more difficult to control. And then comes the next step in laundering. ‘They can mix the funds with other sources of money or put it into a casino that accepts cryptocurrencies, just as they do with real money. By making many micro-bets with little profit and little risk, they lose money, but what they get is clean money that they can then withdraw in legal tender,’ says Orduna.
Another way to launder funds would be through exchanges, cryptocurrency trading platforms such as Binance or Coinbase. However, these types of entities are required to implement anti-money laundering policies, just as financial institutions would. Anyone who has opened an account with one of these exchanges will have had to upload a photograph of their identity document and take a selfie, which will be checked against the photo on the ID card. Users are therefore identified and the police can request information about them with a court order.
So, these exchanges are off-limits to cybercriminals. Instead, they turn to other types of entities that allow them to exchange their funds. ‘Their flow of movement is the same or similar to that of registered exchanges. So be careful, here is someone who is behaving like an exchange but is not on the list of registered entities,’ stresses Orduna, whose team tries to detect these types of platforms through movement patterns.
Knowing how a legal exchange behaves, researchers can develop a model for this type of activity and search for traces of it throughout blockchain networks. They work with digital behaviour models, based on the detected activity of cybercriminals or the tools they might use for money laundering. At this point, the Vicomtech team works closely with investigators from the authorities.
‘We collect more or less abstract requirements of what the State Security Forces and Corps need, what information and relationships they consider useful. We look for examples where we can identify that activity or generate synthetic data with that structure, so that we can develop intelligent models and test them with this fictitious, anonymous data,’ explains Orduna. Once the model has been proven to work, it is taken to the actual investigation, now in the hands of the competent authority.
Much of cybersecurity research is devoted to understanding how attacks work, improving defences, anticipating breaches, and mitigating intrusions. But these researchers have another task: following the money trail. And their work is key to making it more difficult for attackers to profit, thereby minimising their financial incentive.
DISCLAIMER: The following article was written by Pablo G. Bejerano (https://elpais.com/autor/pablo-garcia-bejerano/), who CSIC invited to attend the SafeHorizon Consortium Meeting organised by CSIC on 27/04/2025 in Madrid. Translation made with the support of DeepL.com
