Unveiling the Depths of Cross-chain Crime: A Comprehensive Analysis

masteryweb3_admin Avatar


elliptic crime report 2023


In the ever-evolving landscape of cryptocurrencies and blockchain technology, the phenomenon of cross-chain crime has emerged as a significant challenge.

The report “The State of Cross-chain Crime” by Elliptic provides a deep dive into the intricate world of decentralized exchanges, cross-chain bridges, and coin swap services.

Let’s embark on a journey to unravel the key elements of this report and understand the implications of cross-chain crime in the digital realm.

Cross-chain crime refers to the practice of converting cryptoassets from one asset to another to conceal their illicit origin. Criminals use cross-chain and cross-asset services, such as DEXs, cross-chain bridges, and coin swap services, to launder illicit funds. These services do not typically require ID verification, making them attractive to criminals.

Cross-chain crime is on the rise due to the increasing number of cryptoassets available, the growing proportion of illicit funds generated in assets other than Bitcoin, and the displacement effect caused by enforcement actions targeting traditional frontiers of crypto crime.

Elliptic’s Holistic-powered blockchain analytics capabilities have identified that $7 billion worth of illicit funds have been laundered through cross-chain and cross-asset services, indicating that cross-chain crime is accelerating faster than predicted. Criminals use asset-hopping or chain-hopping to make their activities difficult to trace.

Decentralized Exchanges (DEXs)

Decentralized exchanges (DEXs) have become a hotspot for illicit activities, with cybercriminals exploiting these platforms for money laundering and terrorist financing. The report sheds light on the use of DEX limit orders and crypto derivatives in facilitating criminal transactions. Case studies illustrate how entities like Lazarus and terrorist organizations leverage DEXs to fund their operations.

Three recent use cases have been explored.

Use of DEX Limit Orders

A limit order is a predefined instruction to buy or sell assets at specific prices and within set timeframes. These orders are executed automatically by smart contracts when the specified price and timing conditions are met.

Elliptic’s investigators have uncovered instances of criminal exploitation of 1inch’s Limit Order Protocol. This highlights how cybercriminals leverage developments in DeFi to obscure the flow of illicit funds. By using limit orders, criminals can complicate the tracking of funds, aiming not to completely hide the destination of funds but to slow down investigators enough to facilitate the off-ramping of funds.

Use of Crypto Derivatives

Cybercriminals adeptly utilize services designed to enhance the DeFi user experience to obfuscate and complicate fund flows. Their goal is not necessarily to completely conceal fund destinations but to create enough complexity to impede investigators.

An example is the collaboration between Curve and Synthetix, where Synthetix issues synthetic assets called “synths” that represent exposure to the price of underlying tokens or commodities. Users can hedge against market volatility or speculate on price swings using these derivatives.

Curve Finance has introduced a new type of cross-asset swap using the Synthetix bridge, allowing for large-value swaps with minimal slippage.

These swaps involve two separate transactions with a minimum settlement period of six minutes and require the use of Synthetix-issued derivative tokens like sUSD, sETH, or sBTC.

Use of DEXs by Terrorist Organizations

Elliptic’s report on “Terrorist Financing and Cryptoassets in 2023” reveals that terrorist organizations increasingly use Tether (USDT) rather than Bitcoin for their crypto transactions. Groups like Hezbollah, Hamas, and the Palestinian Islamic Jihad, along with illicit remittance facilitators in Palestine and Gaza, predominantly use Tether.

Wallets associated with these organizations are commonly found in the form of Tron. For instance, wallets linked to the Palestinian Islamic Jihad have engaged with USDT on the Tron blockchain, amounting to $94 million. This shift towards non-native assets has led these organizations to utilize DEXs for financing their on-chain activities.

Cross-chain Bridges

Cross-chain bridges play a pivotal role in enabling interoperability between different blockchains. The report delves into the significance of these bridges and highlights recent developments in the space. Case studies showcase how scammers and launderers utilize bridges for illicit purposes, emphasizing the need for enhanced regulatory scrutiny in this domain.

The Elliptic Investigator graph mentioned in the text is a visual representation of the flows of funds from the Harmony Horizon Bridge hack across different blockchains, including Bitcoin, Ethereum, Avalanche, and Tron.

It also shows the tracing of these funds through various mixing and obfuscation services such as ChipMixer, Sinbad mixer, Tornado Cash, and Railgun.

Cross-chain Crime volume
Cross-chain Crime volume. Source: Elliptic

the Avalanche Bridge and North Korea

The text highlights the significant use of the Avalanche Bridge by the Lazarus Group, indicating that over $437 million was moved through the Avalanche Bridge, over $100 million through SWFT Swap, and over $14 million through the BitTorrent Bridge. This demonstrates the increasing use of cross-chain solutions by professional money launderers and brokers, not limited to North Korean hackers. The text also mentions the use of bridges by scammers involved in romance scams, with proceeds being laundered through major bridges such as SWFT, PolyNetwork, and Avalanche Bridge, before being transferred to other blockchains and eventually ending up in centralized KYC-compliant exchanges.

Bridging using centralized services

Furthermore, the text discusses the exploitation of the Solana protocol Mango Markets and the movement of assets from the exploit to Ethereum using centralized services such as Circle. It also mentions the use of DAI stablecoin to prevent freezing of tokens once their illicit source is known, and the successful tracing and interception of funds in real-time through Holistic investigative capabilities, as demonstrated by Elliptic Investigator.

Pig butchering proceeds being laundered
through bridges

Additionally, the report discusses the next generation of cross-chain bridging, highlighting newer services such as Synapse, Stargate, and SWFT, which enable the swapping of native to native assets on different chains. It emphasizes the continuous development of the cross-chain bridging sector within the decentralized finance industry and the potential for inadvertent opportunities for money laundering and other financial crimes.

The report underscores the importance of Holistic blockchain analytics capabilities in effectively tracing and mitigating illicit funds involved in cross-chain activities, as demonstrated by the case of the Lazarus Group.

Coin Swap Services

Coin swap services have emerged as a preferred choice for cybercriminals seeking to cash out illicit gains. The report explores the criminal ecosystems associated with these services and the diverse range of assets they facilitate, including Monero and accounts of sanctioned Russian banks. It underscores the importance of blockchain analytics in profiling and monitoring coin swap services to mitigate financial crime risks.

These services may provide additional offerings such as cash counting services with armed protection within specific regions, as exemplified by a service operating within the ring road of Moscow. The mention of a coin swap service advertising a courier position on a dark web forum indicates the diverse and sometimes unconventional nature of services provided by these platforms.

Furthermore, illicit-facing coin swap services may offer direct API integration for users and illicit services to facilitate payments through their own interfaces.

They may also provide rudimentary anti-money laundering (AML) screening reports for the cryptocurrency they send to clients after conversion, aiming to prove that the funds are “clean.”

Some services may pledge that incoming crypto will have a risk score below a certain threshold, with higher commissions charged for even “cleaner” funds.

The text also mentions the dark web blockchain analytics tool “Antinalysis,” which likely provides reports to check the cleanliness of cybercriminals’ crypto for cashing out through know-your-customer (KYC)-compliant exchanges.

Additionally, the text discusses the various platforms and methods through which illicit-facing coin swap services operate, including websites, Telegram, Jabber addresses, direct messaging on illicit forums, and even WhatsApp. It notes that many of these services share similar website templates provided by external providers, emphasizing the standardized approach in the design and operation of these platforms.

One aggregator, “Bestchange,” tracks numerous “reliable” coin swap services holding significant reserves across cryptocurrency, cash, and electronic money. The data indicates that there is no single dominant player in the illicit-facing coin swap ecosystem, with the most popular service representing only a small percentage of overall usage.

Moreover, the report reveals that Tether (USDT) holds the largest reserves across multiple blockchains, followed by Monero and Bitcoin. It notes that coin swap services are an effective way for criminals to obtain Monero without revealing their identities, contributing to the popularity of these services.

The data from Bestchange also shows a significant percentage of exchanges involving Tether on the Tron blockchain, underscoring the diverse nature of crypto crime and the evolving trends in the use of different cryptocurrencies for illicit activities.

Holistic Technology for Cross-chain Compliance

The utilization of holistic blockchain analytics is crucial in combating cross-chain crime and ensuring compliance in the digital asset space. The report emphasizes the role of Elliptic’s Holistic Investigator and Discovery tools in profiling coin swap services and analyzing on-chain flows across multiple assets. By leveraging these capabilities, virtual asset services and law enforcement agencies can effectively trace and mitigate illicit activities in the cross-chain ecosystem.


In conclusion, the report “The State of Cross-chain Crime” provides a comprehensive overview of the challenges posed by illicit activities in the blockchain space.

From DEXs to cross-chain bridges and coin swap services, the report highlights the evolving tactics employed by cybercriminals to exploit decentralized platforms for nefarious purposes. By embracing holistic blockchain analytics and enhancing regulatory oversight, stakeholders can combat cross-chain crime and foster a safer digital asset environment.

Leave a Reply

Your email address will not be published. Required fields are marked *