Fraud Management & Cybercrime , Fraud Risk Management , Ransomware

Binance Says It Helped With Clop Money Laundering Bust

Cryptocurrency Exchange Acknowledges Flow of Illicit Funds a Big Problem
Binance Says It Helped With Clop Money Laundering Bust
Binance says this diagram shows how profits from cyberattacks are laundered through cryptocurrency exchanges. (Source: Binance)

Cryptocurrency exchange Binance says it recently assisted law enforcement officials in tracking down individuals who allegedly laundered millions for the Clop ransomware group.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Binance, an exchange that started in China but is now registered in the Cayman Islands, says the work was part of an effort to expand its anti-money laundering and analytics capabilities to detect abuse of its exchange by criminals.

In May, news agency Bloomberg reported that Binance Holdings Ltd. was under investigation by the U.S. Justice Department and Internal Revenue Service. The company, however, denied any wrongdoing and stressed its cooperation with law enforcement agencies.

"We believe that strong controls across exchanges, smart legislation and ongoing education will help immensely with weeding out bad actors," the exchange says in a blog post. "Our ongoing partnerships with law enforcement, as well as security and blockchain analytics firms, will be a driving force in improving the cybersecurity measures across the wider crypto industry."

A comprehensive study released by the Ransomware Task Force said a key strategy for fighting against attacks is disrupting the business model and decreasing profits. That includes encouraging cryptocurrency exchanges to comply with anti-money laundering, anti-terrorism and know-your-customer requirements (see: Fighting Ransomware: A Call for Cryptocurrency Regulation).

Recent Arrests

Ukrainian authorities, in cooperation with Interpol and U.S. and South Korean law enforcement agencies, announced the arrests on June 16 of six individuals who they say aided the Clop ransomware gang.

Ukrainian police executed 21 searches, seizing $185,000 in cash, computer equipment and cars (see: Ukraine Arrests 6 Clop Ransomware Operation Suspects).

"These criminals enjoy taking advantage of reputable exchanges’ liquidity, diverse digital asset offerings and well-developed APIs."

Clop, which has been around for more than two years, is a ransomware-as-a-service group that offers its ransomware to affiliate partners for deployment in exchange for a share of the ransoms.

Clop was responsible for releasing the data of a number of organizations that used Accellion's File Transfer Appliance, in which several zero-day vulnerabilities were discovered starting late last year (see: Qualys Gets 'Clopped' by Accellion-Exploiting Attackers).

Clop's Activities Continue

After Ukraine's announcement about the arrests, the security firm Intel 471 said the bust didn't appear to affect the activities of the Clop gang, which is believed to be based in Russia.

"The law enforcement raids in Ukraine associated with Clop ransomware were limited to the cash-out/money laundering side of Clop's business only," according to Intel 471. "We do not believe that any core actors behind Clop were apprehended and we believe they are probably living in Russia."

The website Clop uses to leak the data of its victims is still online. And managed threat intelligence services provider SOS Intelligence reports via Twitter that the gang recently added a new victim page to its website, indicating the gang is still active.

The new victim on the landing page is Valley Truck and Tractor, SOS Intelligence says. That company was not available for comment.

Using Blockchain Analytics

Binance says the biggest security problem in the cryptocurrency industry is the laundering of money that comes from cyberattacks.

"These criminals enjoy taking advantage of reputable exchanges’ liquidity, diverse digital asset offerings and well-developed APIs," Binance says. "In a majority of the cases associated with illicit blockchain flows coming onto exchanges, the exchange is not harboring the actual criminal group themselves, but rather being used as a middleman to launder stolen profits."

The majority of ransoms are still paid in bitcoin, although some gangs request payment in privacy-focused virtual currencies, such as monero.

Because bitcoin has an open ledger of transactions called the blockchain, the flow of ransoms and illicit funds can be tracked, although it may not be easy to figure out the real names of those who control the funds (see: In Ransomware Battle, Bitcoin May Actually Be an Ally).

Binance says it's been taking part in a multinational police investigation of the cybercrime gang known as Fancycat, which it says has been "distributing cyberattacks, operating a high-risk exchanger and laundering money from dark web operations and high-profile cyberattacks" that involve Clop as well as Petya ransomware.

The Petya ransomware appeared in 2016. It encrypted the master boot record of computers. It was followed in 2017 by a similar ransomware that was dubbed NotPetya. That malware affected shipping logistics giant Maersk and others (see: Ransomware Smackdown: NotPetya Not as Bad as WannaCry).

Rashmi Ramesh, senior subeditor, global news desk, contributed to this story.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.