Crypto Theft Rose in 2022 as Scams, Ransomware Bounty Fell: Chainalysis

2022 became a year of crypto thefts, but illicit transactions still account only for a meager share of all crypto activity, Chainalysis says.

AccessTimeIconFeb 17, 2023 at 3:54 a.m. UTC
Updated Feb 17, 2023 at 5:55 p.m. UTC

The volume of crime-related transactions rose for the second consecutive year, hitting an all-time high of $20.6 billion, blockchain analytics firm Chainalysis says in its new "Crypto Crime Report." But that is a small share of total volume of the crypto market: less than 1%.

Thieves, hackers, exploiters

2022 became the biggest year for crypto thieves. According to Chainalysis, about $3.8 billion, more than in any other year, was stolen from various services and protocols, $775.7 million of which was stolen in October alone. At the same time, total revenue of scammers and ransomware hackers declined, the report says.

82.1% of all the stolen funds were taken from decentralized finance (DeFi) protocols, especially cross-chain bridges – protocols allowing users to trade assets between two different blockchains. “Bridges are an attractive target for hackers because the smart contracts in effect become huge, centralized repositories of funds backing the assets that have been bridged to the new chain – a more desirable honeypot could scarcely be imagined,” the report reads.

A growing trend in DeFi hacks is oracle manipulation, when an attacker compromises the mechanisms by which a decentralized protocol gets a price for traded assets, and creates favorable conditions for fast and super-profitable trades, Chainalysis says. According to the report, in 2022, DeFi protocols lost $386.2 million in 41 separate oracle manipulation attacks.

One example of this is a Mango Markets exploit, for which the alleged attacker, Avraham Eisenberg, was arrested and now is facing commodity manipulation charges in U.S. court.

North Korean hackers from the Lazarus group broke their own record in 2022: $1.7 billion stolen from several victims. Most of that money was sent to decentralized exchanges and several mixers: Tornado Cash, and, after the shutdown of Blender, to Sinbad. Sinbad may have been launched by the same team that ran Blender, blockchain intel firm Elliptic said earlier.

The weight of sanctions

There might be one big skewing factor to the overall illicit transactions statistics: 43% of all 2022’s illicit transaction volume came from activity associated with sanctioned entities, Chainalysis said.

A big part of these illicit money flows are funds received by sanctioned entity Garantex, which is likely just “Russian users using a Russian exchange,” Chainalysis said, but most compliance professionals treat these transactions as illicit activity anyway, it adds.

In 2022, the U.S. sanctioned Russian darknet marketplace Hydra, exchange Garantex, crypto mixers and Tornado Cash. Not all the money these sanctioned services processed were of criminal origins: Only 6.1% of the funds Garantex received came from illicit sources (still 20 times more than centralized exchanges in average); for Tornado Cash, the number is 34%, according to Chainalysis.

Sanctions seriously curbed the flow of funds into Tornado Cash, but Garantex remained as active as ever, and saw even more incoming funds from known scams and darknet shops, Chainalysis said.

Sanctions also seem to reduce the popularity of mixers: In 2022, $7.8 billion in crypto passed through mixers, compared to $11.5 billion in 2021. The U.S. Office of Foreign Assets Control (OFAC) sanctioned mixers Tornado Cash and last year because both services had been actively used by the North Korean hacker group Lazarus.

Money laundering trends

Crypto infrastructure remains open to ransomware hackers because they most often send extorted money to centralized crypto exchanges, Chainlaysis said. The centralized exchanges, despite the intensified attention of law enforcement agencies around the world over the past few years, remain the major receivers of criminal funds, Chainalysis said.

However, hackers that steal crypto from exchanges and other entities prefer DeFi platforms for money laundering, especially when the DeFi protocols themselves are victims, the report says. “In DeFi hacks, attackers often end up with tokens that aren’t listed on other exchanges, so they need to use decentralized exchanges (DEX) to swap them for more liquid crypto assets,” according to Chainalysis.

Other cybercriminals usually use darknet platforms, mixers and centralized exchanges with weak KYC (Know Your Customer) protections, like Bitzlato, whose founder and other staff members arrested in January.

Police double-spends

The report looks into a particular case of one ransomware strain, Deadbolt, which was active in 2022. Unlike the most infamous ransomware groups such as Conti, attacking large organizations for big ransoms, Deadbolt operators chose to target small businesses and individuals. In 2022 it received over $2.3 million from around 4,923 victims, who paid about $476 each, on average.

A twist here is the way this group sent decryption keys to their victims who paid the ransom: Once a victim sent a bitcoin transaction to Deadbolt’s address, another transaction would get triggered automatically, sending back a meager amount of bitcoin (around $1) with the decryption key written into the OP-RETURN field of the transaction data.

This mechanism helped the Dutch Royal Police, which investigated the group, to get decryption keys for a dozen victims without them having to par with their money. The police sent payout transactions to the hackers, but as soon as they received the key they reverted the payouts using the replace-by-fee mechanism.

Replace-by-fee allows replacement of the already initiated transaction in the Bitcoin blockchain with a new one with a higher fee, so the miners would include a more profitable transaction into the blockchain and the first one would became invalid as the bitcoin is already spent.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Anna Baydakova

Anna Baydakova was CoinDesk's investigative reporter with a special focus on Eastern Europe and Russia. Anna owns BTC and an NFT.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.