Cryptocurrency exchange service Binance played an important part in the recent arrests of Clop ransomware group members, helping law enforcement in their effort to identify, and ultimately detain the suspects.
Using the name FANCYCAT to refer to the group, Binance says that the criminals were laundering money resulting from ransomware attacks and various other illegal activities.
The Cyberpolice Department of the National Police of Ukraine estimates that this ransomware group is responsible for causing financial damages of about $500 million.
With cybercriminals taking advantage of legitimate cryptocurrency exchanges to launder money, Binance has been improving its capabilities for detecting and analyzing cybercriminal’s cashout activity.
“These criminals enjoy taking advantage of reputable exchanges’ liquidity, diverse digital asset offerings and well-developed APIs,” the company notes.
Laundering illegal profits is done “through nested services and parasite exchanger accounts that live inside macro VASPs [Virtual Asset Service Providers],” Binance says, adding that cybercriminals use exchanges as intermediaries in the process of cleaning the stolen money.
Using its anti-money laundering detection and analytics program, Binance was able to determine suspicious activity on its service and create a cluster of suspects.
Working with two chain analytics companies (TRM Labs and Crystal), the cryptocurrency exchange service could gain better insight into the group’s on-chain activity and connect it with the Clop ransomware gang.
“Based on our analysis we found that this specific group was not only associated with laundering Cl0p attack funds, but also with Petya and other illegally-sourced funds. This led to the identification and eventual arrest of FANCYCAT” – Binance
Laundering money seems to be FANCYCAT’s specialty. The group was “operating a high-risk exchanger” and did business not just for ransomware gangs, but from other cybercrimes, too.