Bitcoin, despite its growing mainstream popularity, is a favourite tool of cyber criminals, with one ransomware variant, known as Ryuk, thought to have stolen $61 million since it was created in 2018, according to the FBI.
Ransomware hackers, who encrypt their victims’ files before demanding bitcoin or other cryptocurrencies to unlock them, began increasingly targeting hospitals and healthcare providers during the coronavirus pandemic, Interpol reported in April, with criminals taking advantage of an influx of remote workers.
Now, researchers who say they are concerned by this trend have compiled information that could be damaging to Binance, one of the largest bitcoin exchanges in the world—suggesting the exchange is failing to prevent Ryuk hackers from turning the stolen bitcoin into cash.
Researchers found that bitcoin worth over $1 million from several addresses connected to Ryuk ransomware attacks made its way to a wallet on the Binance exchange over the last three years, with the wallet still active as of this month.
“Out of the 63 sampled transactions worth around $5,700,000, it was found that over $1 million was sent from the hacking team wallets to the Binance exchange platform to cash out their ransom payments,” the researchers, who asked to remain anonymous, wrote in a document seen by this reporter and shared with Binance.
“Thirteen other bitcoin addresses associated with Ryuk, containing a total of $1,064,865, followed a similar pattern. All were sent from the hackers’ wallets to several other addresses, and eventually to Binance, enabling them to cash out their ransom payments.”
The remaining $4.7 million worth of bitcoin traced by the researchers is currently still being held at various off-exchange addresses, suggesting Binance is the cyber criminals’ exchange of choice.
Asked about the report’s findings, the Binance security team said that “fighting money laundering, ransomware, and other malicious activities is a never-ending endeavor at Binance.”
“It is our top priority to ensure the safety of our customers and the integrity of the broader crypto space,” Binance said, pointing to a number of “security features” and “engineering techniques” it uses to identify illicit activities, including “detection algorithms to flag potentially malicious activities.”
“Unfortunately, when it comes to tracking illicit activity on-chain, attribution is not always black and white,” Binance added, explaining “the recipient may be completely unaware of the fraudulent source of the transaction” and the exchange “has a wide variety of customers operating on its platform.”
Binance chief executive, Changpeng Zhao, often known simply as CZ, has previously said the exchange relies on mixture of in-house “blockchain analysis” and social media reports to prevent hackers and cyber criminals using its services.
Cracking down on unlawful use of bitcoin exchanges is “truely a tough balance,” one widely-respected blockchain industry expert said via Telegram, prefering to speak anonymously.
“If you clamp down with policies and procedures in order to try to slow these bad actors, it negatively affects all the innocent users. [There’s] no easy answer.”
Binance’s own analysis of the fund flows found the Singapore-based bitcoin and cryptocurrency exchange Huobi received around 400 bitcoin indirectly sourced from a combination of ransomware campaigns with the now defunct exchange BX Thailand also receiving some 140 bitcoin from the Ryuk ransomware.
Meanwhile, Binance this month helped Ukraine authorities take down a group of criminals involved in a global $42 million ransomware and money laundering operation.