Ransomware hackers have a new money-laundering trick: mining new coins to replace “tainted” ones, blockchain analytics firm Chainalysis said in a blog post on Thursday.

The firm located 372 exchange deposit wallets that received both mining profits and ransomware proceeds, Chainalysis wrote. These addresses altogether have received $158.3 million from ransomware-related wallets since 2018.

“Overall, the data suggests that mining pools may play a key role in many ransomware actors’ money laundering strategy,” Chainalsysis wrote

This fashion of money laundering is becoming increasingly popular, with ransomware-related wallets sending more and more funds to mining pools since 2018.

Chainalsysis gives an example of a deposit wallet on an unnamed popular crypto exchange that received large amounts of crypto from ransomware incidents and mining pools. Of the $94.2 million worth of cryptocurrency sent to that deposit address, $19.1 million has come from ransomware addresses and $14.1 million has come from mining pools, Chainalysis calculated.

Although the funds always came to the exchange via intermediary wallets, Chainalysis found instances in which the wallet receiving ransomware proceeds sent funds directly to the mining pool wallet, which then sent the coins to the exchange. This might mean that both the ransomware- and mining-related wallets belong to the same owner, who is using mining as a way to launder criminal funds, Chainalysis wrote.

“In this scenario, the mining pool acts similarly to a mixer in that it obfuscates the origin of funds (reminder: you can’t trace crypto through services, mining pools included) and creates the illusion that the funds are proceeds from mining rather than from ransomware,” the blog post reads.

The BitClub Network scam, which pretended to be operating a crypto mining business until its operators were indicted by the DOJ in 2020, also used this scheme, Chainalysis wrote. The wallets attributed to BitClub used the same set of deposit address on two exchanges as “a Russia-based Bitcoin mining operation,” Chainalysis wrote, without naming the mining firm.

This might have been a trick to make exchanges believe that the funds are coming from mining, not from crime, Chainalsysis wrote. Exchange deposit addresses that received money both from scams and mining pools received a little less than $1.1 billion worth of crypto since 2018, according to the firm.

The North Korean hacking group APT43, also referred as Archipelago, is also investing the crypto it steals into mining, cyber security firm Mandiant said in a report earlier this year. This way, the hackers replace the coins tainted by criminal association with new, “clean” ones.