APT Group Cryptocurrency Money Laundering
Reacting to cyber attacks by an Advanced Persistent Threat (APT) group on critical US infrastructure, an FRA Director conducted thorough and sophisticated cryptocurrency asset tracing to identify and disrupt the group's activities.
Challenge
An FRA Director, while a Special Agent at the Federal Bureau of Investigation (FBI), led a multi-division investigation into cyber attacks by an Advanced Persistent Threat (APT) group on US critical infrastructure. The scope of the APT group’s server network was unknown, which left critical gaps in the understanding of the APT group’s computer intrusion campaign and intended targets.
Action
After identifying that numerous Virtual Private Servers (VPSs) used by the APT group were paid for using bitcoin, the FRA Director conducted extensive cryptocurrency asset tracing and identified hundreds of additional bitcoin wallet addresses that were likely controlled by the same APT group. Additional asset tracing on those wallets revealed numerous outbound payments to VPS providers, which led to the identification of additional VPSs used by the APT group for operational purposes. By combining blockchain analytics with unstructured data sets, the FRA Director identified specific tactics, techniques, and procedures the APT group used to rapidly open large quantities of accounts with cryptocurrency exchanges and VPS providers. This sharpened the FBI’s understanding of how this APT group laundered their bitcoin before using it to purchase VPSs, which allowed the FBI to fingerprint the group’s on-chain activity.
Result
This FRA Director used this new understanding to proactively work with cryptocurrency exchanges and VPS providers and identify when this APT group was establishing new accounts. This rapidly increased the FBI’s visibility into the APT group’s infrastructure network, which generated additional indicators of compromise that could be shared with victims.