Matija Kos | From Ransom to Lambo: Tracing Cryptocurrency Laundering in Cybercrime

Thank you for the door. Uh and welcome back. We are continuing uh and switching to cyber crime. Do you know actually who does know what happened 10 years ago? A big cyber crime took place almost to the month. So it was February 2026. Uh 16, sorry, 10 years ago. >> No, a heist. Which heist happened? Cyber heist. Lazarus. True. What did they try to take? Obviously bra a billion dollar heist in the Bangladesh central bank. You remember that case? They tried to steal a billion dollars, managed to take only a hundred million small change in the end even more than much less than that was actually extrated and laundered. So, and this brought a lot of change about how

to trace uh threat actors and follow the money. If you haven't read, read the book uh traces in the dark by Andy Greenberg, the one who wrote about sandworm. You will hear how Chen analysis and other companies actually aided law enforcement in tracing the money of cyber crime, especially uh crypto uh assets. And today our next presenter will talk exactly about following the money of cyber crime and cryptocurrencies. Please give a warm welcome to Matia Cos.

Okay. Uh so you guys are the hardcore group that stays awake at Friday after lunch. So kudos to you too. Um, I had some ideas to talk about the maths and stats behind crypto and some elaborate offiscation techniques, but don't worry, I've scraped all that. I made some modifications to my presentation to make it as easily digestible as possible and as fun as possible. So, chill back, relax, and enjoy the show. Uh so in this s session we'll just try to earn some money and we will track crypto from criminal act across getting paid all the way to cashing out and buying something in the real world with it and why my hope is that I will be able to show you

some insights into how crypto is used in cyber crime and to show you some tools that you can use to put an end to these kind of operations. There will always be those cyber criminals that just want to watch the world burn but in most cases they are in it for the money. Easy money. If you make it harder for them to get paid, you will deter a lot of them from actually doing cyber crime. Okay, so that's the motivation behind the presentation. Just two quick disclaimers. Number one, this is not the only use case of crypto. I have nothing against crypto and crypto is not inherently bad. And number two is that I hope that this does not come across as a

how-to guide to cyber crime. This is just a high level overview. Okay? So if you follow these steps, you will most likely end up in prison. But still, it is a fun story. Okay? Uh, what better way to experience all this than to put ourselves in the shoes of a humble ransomware operator who has a childhood dream of buying himself a Lamborghini because who didn't have a Lambo poster above their bed as a child, right? I know I did. Uh, so in the first part of the presentation, uh, we will uh see how much the does the Lambo cost and then we will see why we we would want to use crypto as a means to get it. uh

after the organizations that didn't ask for our voluntarily done pentest or distributed backup pay for our services, we will see what kind of opiscation techniques we can use in order order to turn off or discourage forensic analysis and then we will see what and which methods we can use to turn this dirty crypto into clean crypto and then into fiat currency and buy ourselves a lambo. So, at the end, we'll either buy our dream car or we'll end up in prison. Either way, we'll have some dos and don'ts to tell to the investigators. Okay. So, uh as I already said, objectives number one, Lambo, they go for around 280K USD. And of course, we want to have

a costume paint job, right? Because who doesn't? Uh that's additional 15 to 20K. So, let's round this up to 300K. Uh that's our objective number one. Uh that's why you'll see in the top right corner of the presentation you will see this tracker of the current funds that we have. Okay. So the magic number to look for is 300k up here USD. And we have another objective which is as equally as important I would say even more important than objective number one and that is to avoid arriving in prison in it. Okay. So equally are equally as important. Uh to avoid arriving at prison in it we will use crypto. And why is crypto used in cyber crime? Because

of these four attributes. First one is pseudo anonymity which means that there is uh once the transaction is done on chain the only attribution between the transaction and the person behind the transaction is the association with the transaction and the wallet address. Okay. So the if we are not doxed uh there is no association between the person behind the wallet address and that wallet address. Okay. So we are kind of anonymous. If the centralized exchange that that required a lot of KYC gets raided by the feds, they can dean anonymize us and at that moment all the past transaction and any future transaction that we will make from that wallet will be tracked. Okay. Number two is global access which means

that we can be ransomware operators stationed in Russia and we can do cyber crime against US uh Africa China wherever and they can all pay us our ransom no matter the jurisdiction. They just have to have an internet access and a wallet address. Number three is speed. So the transactions on blockchain settle really quickly within minutes. So you can make a lot of transactions in a very short period of time. This is specifically uh disadvantage for the uh forensic analysis. And number four is irreversibility which means that once the transaction is verified on chain once it is done there is no taking back the money. So there is no central authority like a bank that

you can appeal to and say oh this was a scam. We didn't mean to make this payment. Can you please give us our money back? There is no reversibility in blockchain. Okay. So once it's verified you say bye-bye to it. It's going to my Lambo fund. Okay. Uh let's get to it. So, we will join a ransomware group that is already well established. It is high-profile and it works like a business. Okay. They have some big operations. They get big payouts and we already did our due diligence. So, we made a name for ourselves in cyber crime forums. We did some high-profile leaks. We did some ransomware stuff on the side. And we've built our circle of trust. the people

from our circle of trust wedded for us to the ransomware group and we got an interview. Uh when we talk about this kind of stuff we always have to look at the group that we are joining. So our group is well established they work as a business and they have two modus operandi that they use. So they either operate as uh with their core members or they operate through affiliate program. Okay. So core members are actually the guys that made the crypto, set up the infrastructure, manage it, both the infrastructure and the negotiation portals. And affiliates on the other hand just rent out the crypto, do the initial access, deploy the crypto. Everything after that is

automated. So we split our funds with them. They will receive for example for their operation they will receive 70% and we will as an operators we will receive 30%. Or 8020 or 9010 split. Okay. But our group is smart and they look at affiliates only as passive income. So they focus on core members and core members do their own operations. Okay. So this is where the big money is and this is the group that we want to join. As I said they are structured like a business. So they have three sectors. Sector number one is the initial access guys. Sector number two is red teams and uh sector number three is negotiators. Uh in the initial access group we have

three workers and one team lead. And uh these team leads also do the work. So they are not just the team lead. So we have three workers and one team lead. In red team we have four workers and two team leads because they operate in shifts. And in a negotiator group we have two workers and one team lead. Uh as we are doing the interview they automatically say to us you will not be able to join negotiators. These guys are pre-selected. But this is a topic for another time. So you are able to join either the initial access group or a red team. Okay. And what do you do on the interview? You talk about your skills,

right? And you talk about the salary. So the salary for initial access guys is based on the percentage. So they get the percentage of each successful ransom that they are part of. Uh red teamers get basic salary. So they operate like a business and they get a percentage. And then all the negotiators are on a salary plus a bonus. So the initial access guys, regular workers get 8% and team leads get 10%. Red teamers get regular workers get 10% and team lead gets 2k per month USD in crypto plus 13% of each successful ransom that they are involved in. And the negotiators are on a 2k salary per month and they get a bonus. bonuses. For example, if they make five

successful negotiations in a row with no less than 20% discount, then they will get for example 100K on top of that. Okay, so negotiators are off the table. We can either join initial access guys and red teamers, but we cannot join team lead because we are not seniors yet, right? They do not trust us fully. So we want of course to join the group that gets the highest percentage. So that's why we'll join red teaming group with that gets as a regular worker that gets 10% of each successful ransom that they're involved in. But on top of that we have some costs that we have to take into consideration. We have a data leak site that uses some bulletproof hoster

and we also have three torrent servers with which we use to distribute our data out. These torrent servers are located in Bulgaria and we have four uh they cost 400 bucks per month each server. So that's 1.2k per month. Uh you might ask yourself why do we have to have a good data leak site? Because in current days the organizations will most of the time restore from backup. But if we contain if we have their data that is really sensitive they will pay us not to leak the data out. And if we cannot leak the data out successfully, we are not a threat to them. Okay? So they will restore from backup. They know that we

can't distribute the data out. So they will not pay the ransom. If we want to be scary ransomware operators, we have to have good data leak site. And on top of this 1.2K, we have to add five workers that we pay per month. So we have five workers times 2K, which is 10K plus 1.2K, which is 11.2K. and let's round this up to 12K per month. So, we didn't even start and we already lost some funds. But don't worry, don't worry. We'll make up for it. Our workflow is really quite simple. We work as a regular ransomware group. So, our initial access guys will do their own engagement. They have again two modus operandi. Number one is self-made

initial access which they prefer because it is targeted and it gives them bigger return on investment. So they will do their own social engineering, their own fishing, their own exploits, their own walk parsing and stuff like that. Uh or they can use uh subscriptions to different initial access groups for example on telegram where they pay additionally 130 to 170 USD per month. Okay. But as I already said, they prefer this self-made access. They will create when once they found the the initial access, they will create spreadsheets where documents takes their files whatever where they will detail what type of access it is and what credentials did they use to achieve this initial access. Uh then

their team lead will talk to our team lead and give him the uh initial access list. Okay. So there is no interaction of between us as a red team workers and the initial access guys. Only team leads communicate because we are careful about topsec right. Uh once our team lead gets the data he sifts through all the initial access there is and he creates a priority list. On our priority list uh we most of the time have as number one spot we have financial institutions then lawyers and then hospitals. I know what you're about to say. Isn't there a honor among thieves that you do not ransom hospitals? Just take a look at two three

years back and you will see a lot of hospitals actually getting ransomed. Why? Because all these three sectors contain very sensitive data about their customers. So if we exfiltrate the data out, we don't even have to encrypt the organization. If we exfiltrate the data out and for example if we've exfiltrated the data out of a drug testing hospital uh and some businessman uh was client of that hospital you know that those clients will push the organization to pay the ransom or they will pay the ransom because they're afraid if the data gets out that they will be finished right so this is the leverage that we utilize mostly here that's why hospitals on top of financial institutions and

lawyers are are on our priority list. After we've set the priority list, we do our setup in a network. We do regular pentest engagement. So, we do privilege escalation lateral movement. We deploy the crypto exfiltrate the data out. Leave the ransomware node behind detailing what steps does the victim have to use to join our negotiation portal and the most important thing we leave behind the amount of funds that they have to pay us. Okay. So some stats show that 40% of the organizations that got ransomed entered the negotiation chats and 25% of them actually paid the ransom. Uh some median uh value of asking price for the ransom of these institutions is 2 million. Okay. So they

ask we will ask for 2 million in funds. uh and let's say our negotiation team is really really good and they settled for 1.5 million and the organization actually paid us 1.5 million okay which is 21.78 bitcoin at the time that I did the presentation but this is only the beginning so we got paid everything is tipped up you can think we are happy but there is a long way ahead to reach our limbo uh we create a dedicated wallet for each organizations organization that we ransom because we are careful about obscet. We do not want to compromise the uh additional operations that we also use. Uh everything after this part is also heavily automated. But before we

start laundering our money, we have to take out certain chunk because we have some fees to pay. Uh we have to take out 20k USD for our boss of course uh for our HR department, our developers and our bulletproof hosting. And if we combine this 200k plus uh that 12k that we already have to pay, we will lose 3.8 bitcoin. So 21.78 bitcoin minus 3.8 bitcoin, we will receive 18.7. This 18.7 bitcoin is the amount that we can split between those initial access workers and us as a red team workers. So we will be entitled to some percentage of this 18.7 bitcoin. So uh the main portion of the presentation offiscation techniques uh this is the animation that shows the

flow of cache from specific ransomware group. The all the TTPs that I will show here are all real but they do not belong to a single ransomware group. Okay. So I've made an amalgamation of different TTPs from different ransomware groups and show them here but they are all real TTPs. So the most common portion or the most common first step uh for in the moneyaundering process is to add the funds to a mixer. So mixer is mixer or a tumblr is nothing special. It is a service that blends multiple funds that blends funds from multiple sources together and distributes its own. Okay. So think of it as you add your funds to a pool. Uh additional four users or five

or 10 or maybe a thousand users add their funds to the same pool. It get mixed like a soup and then you give get your funds back. Okay. So we put in 10 bitcoin. We will at the end receive 10 bitcoin minus the fee. But we it will not be our bitcoin. Okay. So two two bitcoin will be from uh person x. Additional five bitcoin will be from person y and so on and so on. Okay. Okay, so we will receive the same amount but it will not be our own Bitcoin. There are two types of mixers. There are custodial and non-custodial mixers. Custodial mixers are the ones that are centralized. So it's really easy to use

them. You just specify the amount that you want to mix and you specify the wallet or the multiple walletes that you want to receive the funds to and that's it. You don't have to worry about anything else. Uh the problem here is that they require higher fees and that law enforcement actually u prefers to uh raid these centralized mixers because they require more KYC for the users. Okay. Uh on the other hand we have non-custodial mixers which are decentralized mixers where you have multiple smaller fees pools where uh users add funds to specific fools pool. So there is no one centralized spot that the feds or the law enforcement can raid in order to compromise us. Plus uh these

non-custodial mixers do not require as much KYC and the fees are lower. The problem here is that if we have multiple smaller pools, there will be a smaller amount of users actually contributing to this to the pool. Okay. So in custodial mixer you can have a th00and 2,000 5,000 users contributing to the same pool. So there is a bigger soup. Uh in non-custodial mixers, you have a smaller pool and if god forbid feds actually raid that smaller pool, it will be easier for them to deanonymize us because they will have for example five or 10 users to check. Okay. There is also coin join which is not a mixer. It's actually a protocol uh which just

holds the transaction for a certain period of time, mixes it while the transaction with other transactions uh while in progress and then distributes the funds out. So the difference here is that when you use a mixer, you actually lose the access to your funds. So once you add the funds to a pool, you do not have access to them. If the uh owner of the mixer decides to rockpool, tries to run off with your funds, you cannot do anything about it. Okay, you lost your funds. In coin join, as I said, it's not a service, it's a a protocol. You never lose access to your funds. If you want to talk about coin join and wasabi

wallet and stuff like that, we can talk about that later on. Uh the thing to note here is I don't know if you can see the dates and the time of each transaction, you can on top you can see the the amount, but all the dates and time are uh done in the same second. So this is that speed uh attribute of uh cryptocurrencies. Okay. So all the transactions here are done in the same second. After the one set of mixing, we can do additional mixers and so on and so on. Okay. So we've taken care of the left portion of the animation. Now we move on to the right portion which is peel chain. Peel chain is even simpler

than a mixer. Uh it is actually just a process of taking small or peeling out smaller amount of so we have a big amount of bitcoin for example. We take out small amount. We pass on the bigger amount to different wallet. After that, we take even smaller amount of that small amount, pass it on to a different wallet. The reminder goes to a different wallet. Okay? And we can continue to do this indefinitely or as long as we want, as deep as we want, but we have to take into consideration each transaction requires a fee. Okay? Why we would want to use chains? Because of these three things. So if the law enforcement is trying to track us and they arrive

somewhere here in the middle, it will be really hard for them to track the original source and the destination of the funds if they do not use specific tools or some services like chain analysis and stuff like that. Uh additional part that we would want to use chains is to avoid anti-moneyaundering systems. So if we want to convert our funds into fiat currencies we cannot just go to the centralized exchange and say okay we have 18.7 bitcoin uh just turn this into fiat for me okay this will flag this they will flag this transaction and they will start asking questions how did you get the funds who did you get it from and so on and so which which can lead

into an investigation but if we make multiple smaller transactions from multiple different wallets we can potentially uh avoid these anti-moneyaundering systems Uh, additionally there is something known as crossborder laundering which means that we would ideally use wallets located in different countries around the world or services around the world. Okay. So that if they want to track us they will have to do the u multinational collaboration in order to put an end to our operation. Okay. Again a lot of these transactions are done in split second from each other. So from the mixer you all the transactions go in it takes some time to mix them after the mixer you can do the peel chain in

matter of 10 minutes maybe okay so everything here is really really automated so we've taken care of the left portion the right portion now and you see there is another slide here but there is nothing from uh the animation there at the end this abrupt stopped means that we've jumped chains okay so we converted our Bitcoin to a different cryptocurrency using something known as crosschain bridges. Okay, crosschain bridges are just a service or a swap service that turns one cryptocurrency into another one. So we started with uh bitcoin on bitcoin block blockchain. Then we use something known as a unis swap which converted our bitcoin into uh wrapped bitcoin on ethereum network for an example. Then we use pancake swap

which turned it into uh which turned it to Binance smart chain which is higher uh higher volume chain and then we use something known as unis swap which then turned that into USDT on thron. Uh USDT is cryptocurrency that is that is preferred by the cyber criminals for cashing out because it has uh really really low fees and it has a high liquidity pool. Let's say it like that. We can either do it manually as you saw on the previous picture or we can use third party service. This is the example or the workflow uh of the service that was promoted on one of these hacking forums where the users us as a users uh

we would send our dirty crypto that we have to a centralized service which will then sell our dirty funds to normal users. Uh they will receive cash. They will use this cash to buy additional cryptocurrency on for example Binance. Then they will receive this clean crypto, take their fee and send us the remainder. Okay, everything here is super easy to do for us. But the big problem here is trust, right? We have to trust these guys here that they are not uh going to run off with our funds or that they are not actual law enforcement. So uh we done everything as a group. Uh so we did our mixing, we did our peel chains, we did some crosschain bridges

and we have to now pay some fees, right? So uh we will lose 2.7 bitcoin for all these fees. Uh some stats show that good cyber criminals will lose 10% of their funds for these offiscation techniques and this offiscation process. Okay, so we lost 2.7 bitcoin. we are left with 16 bitcoin and this is the amount now that we can split to our workers including us as a red teamer. Okay. So we if you remember from the beginning we are entitled entitled to 10% of these funds. So we will get 1.6 bitcoin on top. So this is now our funds that we have at our disposal. What we want to do and what we should do as a criminal is then

do our own set of offiscation techniques. Okay. So we will do mixing portion again, peeling portion again, crosschain bridges and stuff like that. If we do not want to end up in prison, if we want to end up in prison, we will just cash out immediately. But we are smart. So we will lose additional 0.14 bitcoin to do our own personal offiscation techniques. Okay. Uh after we've done that, we will have 1.46 bitcoin and we can decide what we want to do with it. We can either put it in a s uh savings fund. Okay. And if we want to if we decide to go this route, we would want to turn this bitcoin into

something known as privacy coins. The big three are Monero, Litecoin, and Zcash. Monero is definitely the king here. So privacy coins are hold privacy coins because only the sender and the receiver know that the transaction took place. Okay, there is no uh cross there is no uh chain level traceability. So the animation that we saw a couple slides back that cannot be done for example on Monero blockchain because there is no tool that can allow the that can allow the law enforcement to actually see this this trace. Okay. And that's why we that's because they have a private ledgers. So most of the time privacy coins are used for long holding of the currency and something known as

OTC cash out. We will see and we will talk about this OTC cash out later later on why we would not want to use privacy coins because they immediately raise a lot of suspicion. Uh big centralized exchanges have mostly stopped converting or actually accepting privacy coins because they immediately associated with uh criminal activity. It is not the only use case for example of Monero. It is a privacy coin. Privacy can be either good and bad, but most of the time centralized exchanges have immediately started flagging and not supporting actual transactions with privacy coins. So if we want to save our funds, we would put it into privacy coins and then convert it again afterwards when we are

ready to cash out to something else. Okay? But we do not want to turn our funds into savings account because we want to buy ourselves a Lambo. So, we have to actually cash out and we have to turn it into fiat currencies because we cannot just go to the uh car dealership and bring two bags of cash, right? Or we can do that, but we would not want to do that. Okay? And we most definitely cannot just go there and say, "Oh, I have a crypto wallet on this small USB. Just trust me, bro, and give me my Lambo." Okay? So, we have to turn it into real real money. uh to do so we

can use something known as centralized exchanges which are really good because they have a high liquidity pool which means that they actually have uh in this case 100k USD to give us uh some smaller centralized exchanges do not have as big of a liquidity pool and they have maybe 10k or 20k at the disposal at any time. So we want to use some big uh centralized exchange to get our funds out. Uh how would we approach this? we would definitely not use real KYC right because all the centralized exchanges are heavily monitored by the law enforcement and they have to comply with the regulations of the country that they are in uh so that's why we would want to

use fake KYC and lo uh use some low volume offshore centralized exchanges and again to avoid being detected by those anti-moneyaundering systems we would use something known as micro withdrawals which is just taking out a smaller amount uh as to why not use them. Again, heavily monitored, potentially uh honeypotss or potentially controlled by law enforcement. The thing that we can use is something known as a peer-to-peer platform. Peer-to-peer platform is just a meeting ground where buyers and sellers meet, regular people like you and me. So, this for example, one of those peer-to-peer exchanges is known as BISK. Uh we would go to that platform. I will see I will say say that I am selling 1.46 bitcoin.

Someone will say I have for example 100k. Do you want to do the exchange? Okay. Uh if we say yes, we will then agree to use a different form of communication for example session uh telegram god forbid discord right uh to talk and to arrange the details of our transaction. when we are talking on session we will say okay I will send you the funds uh to this account you will give me for example you will pay to my revolute or you will buy uh gift cards for me or you will use PayPal or whatever okay the problem here is that I don't know about you but I am not walking around with 100k in my pocket so

if we want to convert a large amount of funds into fiat currency we will not use peer-to-peer platforms because on the other side it's regular people. Okay. So, these peer-to-peer platforms are mostly used for a smaller transactions up to 10K. Okay. And why are they harder to and tricky to trace? Because the communication between actual buyers and sellers is done on different platforms and each transaction is uh it has uh inconsistent identifiers. So for example, once we will use session and we will say okay uh give me my funds to revolute. Other time we will use telegram and we will say okay give me my funds in the form of a PayPal transfer. Okay. So it's really hard for the law

enforcement to put an end to these operations. On top of that after the transaction is done we can delete our account and our wallet uh both in actual uh our actual wallet and the address that we have on for example bisque. Okay. So we can purge everything after each transaction. Uh again we would we will not use this transaction because we have 1.46 46 bitcoin which is 100k. Okay, we cannot just go to a single platform and say to someone random person, can you give me my 100k? Okay, we will use something known as OTC broker or over-the-counter broker. Um this is the u communication that I found on or the service that I found advertised on specific hacking

forums where um he's he calls himself a pentester. He said, "Hi, I saw your profile on this forum and I just received the payout from a pentest job." Yeah, right. And I don't know what's the best way to convert it in Russia. Okay. And then the OTC broker responded like this. He said, "Hello, uh, we do card transfers from 400 and up. We do courier delivery from 3K uh 30k up. And we we do think of QR code, which is some Russian thing. I will not worry about it. for from 5k up. Each transaction requires specific fees. Okay. As we have as I said 100K, we will opt in to use courier delivery because we have more than 30k,

right? And on top of that, courier delivery has the lowest fee, right? And our funds are dirty. So, we will lose 4.8 bitcoin for this. Uh after that, he says, "You pay first. Once the funds are fully received, I place the order and we arrange the location in time. Okay. Delivery takes two to five hours, maybe longer if couriers are overloaded. So now our warning lights start to appear, right? Okay. He will not go there by himself. He will send a courier. Okay, we will have to meet up in person. Uh then he says pickup is secured by a token which means that we will before we or after we make the initial transaction we will take a picture of a bank note.

So real life bank note showing the serial number. We will send that picture to him. Once we meet in real life we will show the same bank note showing the same serial number and this will verify to him that we are the actual buyer that send the funds in the first place. So he says you send me a photo of the bill and bring it to the meeting to prove you are the recipient. And he said what say you we are in. Okay. So we are in but we are smart. If he uses couers we will use someone else right because we do not know if that guy is actually police officer right or if he is some strong

big guy who will beat us up and just take our money. Uh so we will pay up to some low-level thug. we will give him 5k to go there instead of us. But we are smarter even more because we will pay additional 5k to a different guy to beat up the first guy if he decides to run off with our funds. Okay. So we've covered oral oral exits. So we will lose 2 * 5k which is 10k and then we will lose additional 6.8% of that for the courier delivery fee to the OTC broker. So we will receive our initial 100k but we will lose 16.8k to that. After that we are left with 83.2k of real world cash. So we have it

it's in our office wherever. Okay we have it on our desk. We have to do that four more times. All this process we have to do four more times to reach our magic number of 300k. Okay. So let's say that we did all that and that we've managed to not get caught. So we have on our disposal in our office we have 300k. But the thing doesn't stop there because we cannot then just take these funds go to a car dealership put them on a front desk and say give me my Lambo. Right? They will start asking questions. How do you have such enormous amount of cash on your person? Right? So we have to legalize our funds. Uh do not

take my word for it. This is the advice given by log bits. So the owner of logbit ransomware group where he says uh well and the perhaps the most important long and nasty thing legalization for law enforcement agencies of any country. All sources of your income must be clear and transparent. Everyone must know where your money comes from and that it's legal. As soon as you start spending unleedized money, you stick your ears out of the crowd. Uh machine translation. So whatever ears out of the out of the crowd means which means you can be taken into development uh investigation. Personally I like the restaurant business. Many people pay in cash or can supposedly pay in cash and

thanks to this you can safely launder sufficient amounts of money. But legitimate business is not the only way to legalize our funds. These are some of examples that criminals like to use. So they one while while they were so popular they heavily used NFTTS quite morbidly uh they will also use death of a family member where they will say okay my grandpa died and he left me a big uh set of money or he left something buried in the back backyard right uh they will also say that they won in an online casino but casino casinos have started to pick up on this so they uh are also part of the investigations when the law

enforcement does this uh they can invest to some real estate in Middle East specifically. So Middle East is the place where they actually launder a lot of money and they can always hide behind some legitimate business. Okay. Once we for example use our legitimate business to launder all these funds to make it actually legalized, >> we got it. >> Congratulations. Feast your eyes. Feast your eyes. >> Okay, so we bought our dream car. We done everything right. But do not get your hopes up. Inevitably, we will end up in prison because as you've seen, there are a lot of steps that can go wrong and probably at some time will go wrong. And I don't know of any hacker

that's in that has 50 plus that hasn't been investigated or is not in progress. Right. some dos and don'ts for the investigators. If you will be tasked some time to do the investigation on uh crypto and money laundering uh you should establish your ground truth early which means that you should be in constant communication with the organization that was ransom ransomed. They should show you their ransomware notes so that you know which group runs on them because potentially I hope that you have your own uh database where uh you track their TTPs of the specific group. Also uh they will have to tell you how much funds do they plan to actually pay up for the ransom because

then you can say okay be we have past experiences that the these specific ransomware groups will go to 50% discount maybe. So do not do not say that you will all in immediately in the first step you will give them 75% because it's not smart to do to do that right. Uh also you should track structure not just the value. So you should have a mental picture and now you know how mixers look, you know how peel chains look. So just look for those patterns. Do not just look okay uh one bitcoin went here, two bitcoins went there, something happened like that. Okay? So take a big look uh take a bigger uh perspective. Look at the

patterns that they use and of course use some onchain tools depending on your current budget that you have. But remember, no tool is perfect across chains, which means once uh the threat actor used crosschain bridge or switched from the uh for example, Bitcoin blockchain, you have to use a different tool which allows you to track those funds. Okay. Uh that's it for me. Do you guys have any questions? >> Sorry. What's the color of your >> I'm not at the liberty to say. >> Yeah. Any other questions? Actually, I read somewhere that like over 50 billion of crypto uh assets, different, you know, cryptocurrencies are basically just sitting there >> waiting to be cashed out. Nobody's

cashing out. >> Why this is so easy? Why why don't they why don't they cash out? Come on. Really? >> I don't know. Uh the problem here is that cyber criminals are not as um once you've done the cyber crime, you've done all the technical parts that you are able to do because you're a nerdy guy. You've done everything. After uh that you have to think more politically. You have to go into the mind of someone that you do not know. So what would the law enforcement look for? uh you have to put trust into someone else and us as IT guys or tech guys are not as trusty to someone that we do not know right so on top of that

most uh transactions or most big organizations uh they have dedicated sock teams and dedicated investigators and dedicated tools. So once they pay the ransom even if they do pay the ransom they you know that they will previously inform the actual law enforcement. So from the moment that they make the payment that crypto is immediately getting tracked right so the law enforcement will know to the exact wallet uh before even the transaction is made to the exact wallet that they will make the transaction to okay so that's a big problem and you I'm talking from stuff that I saw the law enforcement is quite vocal about that so once the transaction is made they will through

specific channels actually talk to the ransomware operators and they will just say okay we know about this transaction be careful okay so at that moment cyber criminals if they are not uh really uh if they are not really uh if they don't care about their life they will proceed on but in most cases they will just stop because moneyaundering uh brings a hefty hefty fine okay so they will either get 20 30 years in prison for just one oper operation. So to when I said we do this four times, that's really I mean that's really pushing the limits here because it's really really hard to do. How much of them are the state actors and how much of

>> Oh, I would like to I would like to tell you the numbers but um everything that I show here is some your petty um smaller cyber crime cyber criminals right for the state actors uh as already mentioned like Lazarus and stuff like that they have different models of pari that they use but I will not go into that because they have their own TTPs which is um quite more elaborate uh to show here. >> I don't think they are afraid of >> uh >> there are some guys that say okay you know that for example Russia has a policy to if you are not attacking Russian or former SSR states you will not be prosecuted for the stuff that you

do. uh but comes with the big butt right there have been some operations where uh then the threat actors actually played a bit too much and they got even arrested in Russia. >> So it all depends on the state and where you work. I mean how would you prosecute someone in North Korea? >> I mean >> if you can go through the border congrats. >> Yeah. And bear in mind that if you go you know with some country let's call it never neverland you know you cannot just you know they have you want real cash there you cannot withdraw a billion dollars from that country by just you know shifting cryptocurrency in that country know you know you will bankrupt

that country eventually if they don't have you know ability to you know you know do business on like international exchange you know so it's it's you know for North Korea or whatever you know they are not part of the normal financial you know money flows so I think maybe that's part of the reason why they cannot just you know they have to get import this money somehow into the country >> and the most cyber criminals actually do not never go through the process of actually converting crypto into something real most of the time they will stick with crypto and then buy something that off that accepts crypto so some services that accept crypto they will never go to fiat

Okay. So that's also if for example you can pay specific uh VPNs you can buy with crypto. You can use uh some online services that you can buy with crypto. So they will spend their funds that way. But that's again 100k for them is once in a lifetime achievement. >> Oh wait a minute. I'm going to give you the mic. >> Hello. >> Hello. Hello. For how much honesty can you hope uh when you're dealing with a client that's being uh let's say uh ex extorted or threatened like how how honest they are with you and what they do and how much they listen to you to your advice. >> Uh the problem here is that a lot of

organizations will actually not disclose that they were ransomed and that they paid the ransom. If they can help it, they will not say this. They have some agreement that they will do. Uh but most of the times current regulations have started to put an entities because they say okay you have four days to to disclose that you were to a specific authority that you were ransomed. So in that case the cat is already out of the bag and they have to tell you what happened and they will in that case they will tell you. But if there is no big headline for example in the news or they think that the law enforcement didn't uh

catch on to them they most of the time will not tell. But those again those are the small organizations. The big organizations have a lot of regulations to adhere to in order to continue working on. If they mess up even once, for example, if some are if our big organization didn't disclose and later on we found out uh that they didn't disclose, it's a bigger damage to not disclose at the beginning than to be found out not to tell the truth later on. >> Yeah. And bear in mind that some countries have a law against paying ransoms. And this is not new. This is not because of crypto but this is because of like uh you know uh general

crime that you know like 50 years ago I think Italy was one of the first one that had kind of laws where you are not by law permitted to pay any kind of ransom if you are extorted because of you know the problems they had with organized crime >> and if you pay the ransom you're actually positively motivating them to continue doing the crime right so if if they know that your country doesn't allow you to pay the ransom they will most likely probably not target you, right? >> Okay. >> What are some of the techniques, >> right? So, what are some of the techniques that cyber criminals use to cover the track uh during the operation,

the hacking part? You talked about the offiscation during the crypto and everything, but what about the hacking? What type of techniques, tools? >> So, the cyber criminals here. So we are not talking about state level guys the the guys that do zero days one days PC's and stuff like that. So, we're talking about low-level criminals. Most of the time, they will either use some fishing campaigns to gain initial access or they will parse already existing stealer logs. Right? That's their most common initial vector in uh the thing that I saw is they boast like they did some big hacking stuff, but most of the time they just did uh Idor or something like that. So, they excfiltrate the data out.

That's not necessarily as important. Keep in mind uh the lot of low-level criminals will just pull down for example HR department or marketing department data out so nothing critical they will package it up they will fill it even more uh to say okay we have 200 gigs of your data so in that case you did not get fully compromised and they did not have to do a lot of lateral movement or privilege escalation during the actual engagement. So cyber crime it like low-level criminals are all over the place. So you never know where they will will where where they will strike and how much actual damage did they actually make. >> Okay, last question over there.

>> Is there something else between like door relays and because like uh everybody now knows that tour isn't that anonymous right now. the >> uh I didn't talk about this but our if we are good ransomware group so we will use our wallets and for example our Wasabi wallet and stuff like that we will use in a virtual machine that has specifically exits to to so for example we will use that to in that case but if we VPN is even sufficient for that if we are not a big fish if we are a big fish then the uh law enforcement will do whatever they do to track us down. But if we are a smaller fish to is perfectly

perfectly fine. The problem there is that you have to be uh uh you have to be okay with the stuff that you will wait a long time for the expiltration of the data out for the actual transaction made uh and everything on tour. If you want to automate stuff, it's really it's harder to do it on to network than in real classical internet. that door for smaller criminals is quite okay. >> Mata, thank you for a great lecture. >> Thank you.

Now we have 7 minute break but be back. We still have two lectures to go today. The one next will be about honeypotss and then we return to cyber crime.