Dan Kitwood | Getty Images
A major way criminals in the crypto world launder money is by sending digital assets across blockchains, bypassing a centralized service that can trace and freeze transactions.
They use so-called cross-chain bridges to make it happen, and the dollar amounts are getting large. One particular cross-chain bridge called RenBridge has been used to launder at least $540 million in crime-related crypto cash since 2020, according to new research from blockchain analytics firm Elliptic.
Included in that amount is $153 million in ransomware payments, meaning hackers are using RenBridge when they break into corporate networks and force companies to pay up to get their data back. Elliptic says RenBridge was “an important facilitator” for Russia-linked ransomware gangs.
David Carlisle, Elliptic’s vice president of policy and regulatory affairs, said cross-chain bridges are “a bit of a blessing and a curse” at the moment. Like so many popular crypto tools, they help expand the market by giving people more ways to pay and transact. Cross-chain bridges are notably vital to the development of the decentralized finance, or DeFi, space, which is crypto’s alternative to the banking system.
The flipside is, “they’re effectively ungoverned, and so very vulnerable to hacks, or to being used in crimes like money laundering,” Carlisle told CNBC.
Carlisle said he expects regulators to start zeroing in on bridges in the next six to 12 months, as governments continue to crack down on the darkest corners of the crypto world.
On Monday, the Treasury Department blacklisted crypto mixing service Tornado Cash, alleging the service was used to launder more than $7 billion worth of virtual currency since 2019. Carlisle said the action taken by the Treasury’s Office of Foreign Assets Control shows that U.S. regulators are prepared to go after criminal behavior in crypto.
“One major question is whether bridges will become subject to regulation, since they act a lot like crypto exchanges, which are already regulated,” Carlisle said.
Developers have built cross-chain bridges to let users send tokens from one chain to another. Transfers of digital assets between chains rely on Darknodes, or networks of thousands of pseudonymous validators. That’s allowed them to become a prime tool for obfuscating crypto cash.
RenBridge became a popular destination to do just that. Elliptic says it’s been used to launder assets originating from theft, fraud, ransomware, and various other types of criminal activity.
Other crypto assets laundered across RenBridge were likely stolen by North Korea, Elliptic said. The service was also used by the Conti cybercrime group, which recently attacked the Costa Rican government and triggered a national state of emergency. Elliptic’s research shows that Conti has laundered more than $53 million through RenBridge.
“Cross-chain bridges are a loophole in the regulatory regime that has been painstakingly established by governments around the world, to combat crypto laundering,” said Tom Robinson, Elliptic’s chief scientist.
RenBridge is a go-to option for those looking to clean stolen cash. More than $267 million in crypto assets taken from exchanges and DeFi services were laundered through RenBridge in the last two years, including $33.8 million from Japanese crypto exchange Liquid, according to Elliptic.
The bridges are particularly vulnerable to attacks.
Blockchain cybersecurity firm CertiK previously noted that when bridges hold hundreds of millions of dollars of assets in escrow and multiply their possible vectors of attack by operating across two or more blockchains, they become prime targets for hackers.
Last week, a bridge known as Nomad lost almost $200 million in a devastating exploit resulting from a bug. Within hours, the thieves began using RenBridge to launder the money. Thus far, $2.4 million in crypto assets stolen from Nomad have been sent through RenBridge, according to Elliptic.
“Ransomware gangs, fraudsters and even North Korean hackers are shifting from regulated crypto exchanges to a decentralized, unregulated alternative,” Robinson said.
RenBridge is an open protocol, so it doesn’t operate with a CEO or any central figureheads. CNBC reached out to the support email address listed on Ren’s Crunchbase profile to request comment.