They’ve been heralded as a way of breaking banks’ grip on global financial systems, but decentralised finance (DeFi) technologies are causing headaches for authorities as cybercriminals use the unregulated services to launder billions in cybercrime proceeds every year.

Cybercriminals laundered $11.9 billion ($US8.6b) worth of cryptocurrency using a variety of methods to avoid authorities’ attention, according to a new Chainalysis report that found use of DeFi exploded during 2021 – from 2 per cent of cryptocurrency money-laundering transactions in 2020, to 17 per cent last year.

That’s over $1 billion ($US750 million) worth of cryptocurrency being moved using DeFi, an emerging technology stack that enables the direct transfer of cryptocurrencies between two wallets without scrutiny by banks, regulators, or governments.

The majority of the DeFi-facilitated transfers related to stolen funds, according to Chainalysis – which matches source and destination wallets to trace funds within and between cryptocurrency networks – or to the North Korea-affiliated hackers that stole $550m ($US400m) worth of cryptocurrency last year to circumvent international sanctions.

“Money laundering is a plague on virtually all forms of economic value transfer,” the firm notes, citing UN Office of Drugs and Crime figures suggesting that up to $2.7t ($2t) of normal fiat currency is laundered through conventional channels every year.

“The biggest difference between fiat and cryptocurrency-based money laundering is that, due to the inherent transparency of blockchains, we can more easily trace how criminals move cryptocurrency between wallets and services in their efforts to convert their funds into cash.”

Cryptocurrency’s Wild, Wild West

The surge in criminal use of DeFi during 2021 highlights cybercriminals’ recognition that the evolving ecosystem still lacks the financial controls and official scrutiny being applied to other parts of the cryptocurrency world.

“DeFi is the killer use case of crypto and its underlying blockchain technology,” GlobalData associate analyst Emma Taylor noted during the firm’s recent 2022 outlook webinar, in which she predicted financial giants will this year be pushed by increasingly sophisticated DeFi startups.

The new technology “transforms traditional financial transactions into transparent automatic protocols by using smart contract technology,” Taylor said, “and in this way, traditional financial institutions will be disrupted because there will be no need for them or any other intermediaries.”

That’s music to the ears of cybercriminals who know regulators are slowly catching up with conventional cryptocurrency exchanges – which are being targeted with anti money-laundering rules such as know your customer (KYC) regulations forcing them to verify users’ personal details and report large transactions to government authorities.

DeFi imposes no such obligations, providing novel services and exchanges to help criminals convert stolen cryptocurrency from one type to another – a process known as ‘chain hopping’ that was, among other cases, used to steal over $42m ($US30) from the Binance Smart Chain.

“This would be less likely to happen with centralised services,” Chainalysis noted, “which unlike DeFi protocols typically ask customers for KYC information upon signup and have more ability as custodial platforms to freeze funds from suspicious sources.”

Cybercrims gaming the system

Even as sophisticated cybercriminals find new ways to launder crypto, everyday scammers are gravitating towards more-conventional, centralised exchanges due to what Chainalysis called their “relative lack of sophistication”.

Many are moving small quantities of cryptocurrencies to fly under the radar of regulations that require exchanges to report transfers greater than, say, $US1,000 – with $260m ($US187.6m) worth of cryptocurrency moved through 3.52 million separate transactions each worth less than $US1,000.

“Compliance teams should consider treating users who consistently send or receive transactions of that size with extra scrutiny,” the firm recommended.

“Repeated instances of transactions just below the threshold may indicate users are structuring – purposely breaking up large payments into smaller ones just below reporting thresholds.”

Monitoring cybercriminals’ manipulation of cryptocurrencies has given analysts a good idea of which accounts are being used for criminal activity – and it turns out a relatively small number of accounts are receiving the lion’s share of the loot.

Just 583 different deposit addresses received 54 per cent of all cryptocurrency laundered last year, highlighting the use of DeFi to move massive windfalls from ransomware, cryptocurrency-stealing malware, and other campaigns.

Indeed, the largest transfer recorded by Chainalysis was a $284.5m ($US205.6m) windfall from the massive Finiko Ponzi scheme, which was transferred to a single cryptocurrency deposit address.

As they continue to progress the state of the art, the report advises, DeFi protocol teams must “work to prevent their products from being abused by cybercriminals” – for example, by monitoring transactions to see if funds are interacting with known cybercrime-related deposit addresses.

“Blockchain analysis,” the firm noted, “can supplement more established investigative techniques law enforcement is already well-versed in.”